Exploit goes public for severe bug affecting high-impact sites

Enlarge (credit: Garrett Ziegler)

Banks, insurance companies, and Fortune 500 corporations take note: attack code has just gone public for a hard-to-patch vulnerability that hackers can exploit to take control of your website.

The critical vulnerability is located in Apache Struts 2, an open-source framework that large numbers of enterprise-grade organizations use to develop customer-facing Web applications. The bug, which has been active since 2008, allows end users to execute malicious code or commands by plugging maliciously modified data into search boxes or similar features hosted on the site.

Apache Struts maintainers released a patch on Tuesday. Unfortunately, installing the update is only the first step. Vulnerable sites must then use the new version to rebuild vulnerable Web apps and thoroughly test them before deploying them in their production sites. The process can be labor and time intensive. What's more, the particular vulnerability this time may require developers to change the code that calls the Struts framework. Further complicating matters: many sites don't always have a complete list of apps running on their sites, which makes finding out if they're at risk harder.

Read 5 remaining paragraphs | Comments