A critical Apache Struts security flaw makes it 'easy' to hack Fortune 100 firms

Servers and data stored by dozens of Fortune 100 companies are at risk, including airlines, banks and financial institutions, and social media sites.
Written by Zack Whittaker, Contributor

(Image: Wikimedia Commons; file photo)

A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server -- putting sensitive corporate data at risk.

The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability.

All versions of Struts since 2008 are affected, said the researchers.

Apache Struts is used across the Fortune 100 to provide web applications in Java, and it powers front- and back-end applications. Man Yue Mo, a security researcher at LGTM, who led the effort that led to the bug's discovery, said that Struts is used in many publicly accessible web applications, such as airline booking and internet banking systems.

Mo said that all a hacker needs "is a web browser."

"I can't stress enough how incredibly easy this is to exploit," said Bas van Schaik, product manager at Semmle, a company whose analytical software was used to discover the vulnerability.

"If you know what request to send, you can start any process on the web server running a vulnerable application," he said.

The vulnerability is caused by how Struts deserializes untrusted data, Mo said. An attacker can exploit the flaw to run any command on an affected Struts server, even behind a company firewall. "If the server contains customer or user data it's not hard at all to collect that data and transfer it to somewhere else," van Schaik said. The attacker can also use the server as an entry point to other areas of the network, effectively bypassing the corporate firewall and gaining access to other shielded-off areas of the company, he said.

"An attacker can use the vulnerability to find the credentials, connect to the database server, and extract all data," he said. Worse, he added, an attacker could delete data.

"A creative attacker will have a field day," he said. "And even worse: The organization under attack may not even notice until it is well too late."

An exploit has been developed by the security researchers but has not been released to give companies time to patch their systems. He said that he's not aware of anyone exploiting the vulnerability but warned that he expects this to change "within a few hours" of the bug's details being made public.

"Companies may indeed scramble to fix their infrastructure," van Schaik said.

A source code fix was released some weeks prior, and Apache released a full patch on Tuesday to fix the vulnerability.

But many companies will be vulnerable to attack until their systems are patched.

Several government websites, including the IRS and California's Deptartment of Motor Vehicles, along with other major multinational companies, such as Virgin Atlantic and Vodafone, use the software and are potentially affected by the vulnerability -- but van Schaik said that the list was "the tip of the iceberg."

As many as 65 percent of the Fortune 500 are potentially affected by the vulnerability, said Fintan Ryan, an industry analyst at Redmonk, in an email.

Ryan said the figure was based on the known usage of Struts across the Fortune 100, such as developer metrics and hiring data. He said that Struts is used typically to sustain or augment existing applications, rather than newer web applications.

There's no specific way for security researchers or attackers to externally test if a server is vulnerable without exploiting the vulnerability.

"It turns out that there is no other way than to announce the vulnerability publicly and stress how important it is that people upgrade their Struts components," van Schaik said.

"There is simply no other way to reach the companies who are affected," he said.

Editorial standards