Blog & Tools

Same software, new flaw - Apache Struts

Apache Struts?

Nearly a full year after we learned about the Apache Struts software vulnerability that led to the massive Equifax data breach, there’s an alert about another, similar problem.

The original Equifax data breach happened in mid 2017 and didn’t become public knowledge until September 7. The credit bureau had failed to patch the Apache Struts vulnerability and ultimately allowed hackers to access the personal data of 147 million people.

Now, security experts are warning of another newly-discovered bug in Apache Struts 2 because instructions on how to exploit this latest security hole are already being shared online for hackers.

Like other vulnerabilities in the cybersecurity world, when the problem is made public, we see an influx of cyber attacks almost immediately as hackers use the patch notes to exploit the vulnerability. They know there will be companies that don’t issue the patches immediately, which was the case for Equifax.

But the good news is, there IS a patch for this latest flaw and the attack is already being blocked for SDN Communications’ Managed Firewall customers with Intrusion Prevention Service (IPS). Responsible patch management can mean the difference between a safe and normal-functioning work week or a week where your company is liable for millions of consumers data.

“Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,” wrote Semmle co-founder Pavel Avgustinov.

Semmle is the software company whose researchers were responsible for discovering the critical vulnerability.

To secure your own systems, it is recommended to apply the appropriate patch immediately if your business utilizes the Apache Struts framework. The vulnerability affects all supported versions of Struts 2. Users of Struts 2.3 should upgrade to version 2.3.35; users of Struts 2.5 should upgrade to 2.5.17.

Aside from this specific vulnerability, it is important to practice responsible patch management on a consistent basis.

Related Blog: Apply security-related patches to computer sooner, not later

Related Blog: Businesses should closely screen software-service providers

SDN’s latest trio of cybersecurity posters includes one on updating devices. Use the button below to request a free download of all three infographics.

Free Cybersecurity Posters