Critical Apache Struts Vulnerability

Critical Apache Struts Vulnerability Requires Patching

What you need to know: 

• Apache has disclosed a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution.

• Patches for the bug are available in versions 2.5.33 and 6.3.0.2 or greater and should be applied as soon as possible. There are no workarounds that remediate the issue.

• The information security team continues to investigate and respond to this vulnerability. If you detect Apache Struts in your system or software, contact Information Security. 

Who is affected?

• Server and system administrators running Apache Struts 2.

• Service owners managing vendors whose technology includes Apache Struts

Why it matters

• Attackers could remotely take control of a system or web application as well as the data housed within it.

Additional Resources

• https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-critical-apache-struts-flaw-using-public-poc/
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-struts-C2kCMkmT 
• https://nvd.nist.gov/vuln/detail/CVE-2023-50164 
• Struts is a Java framework that uses the Model-View-Controller (MVC) architecture for building web applications.