back to article Apache Struts you're stuffed: Vuln allows hackers to inject evil code into biz servers

Malicious code can be pushed into servers running Apache Struts 2 apps, allowing scumbags to run malware within corporate networks. The critical security vulnerability was discovered by researchers at Semmle, who today went public with their find. Apache Struts is a popular open-source framework for developing applications in …

  1. Aitor 1

    Love struts.

    So much, I think it is sacred and should never be touched, let alone used!

    It is not the first time it comes under attack, and in my opinion, it is a bit outdated, and I personally prefer rest webservices, you can implement them as you want, be it with struts2, spring, python, nodejs...

  2. Anonymous Coward
    Anonymous Coward

    > and I personally prefer rest webservices, you can implement them as you want, be it with struts2, spring, python, nodejs...

    This is Struts 2 we're talking about, which has something of a history https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/ . The other frameworks you mention will all have vulnerabilities, the good guys just haven't found, fixed and published them (hopefully in that order) yet.

    We have no idea whether the bad guys have found and are even currently exploiting them.

    1. Aitor 1

      I know...

      I know Struts2 has quite some history.. both of security bugs AND forking.. as it was aoriginally a fork of struts, that got to be "struts 2", as it was way better than the original. Still hate it, I find the approach quite bad, if well meaning.

  3. Anonymous Coward
    Anonymous Coward

    Java

    Lol

  4. Christian Berger

    Isn't serialization something inherently scary?

    I mean you turn an object, which can contain both data and code, into a binary blob, then you turn that blob back into data... and code. I mean if you send that binary blob accross the network, you should at least be scared that it's not compatible between different versions of your code.

    1. teknopaul

      Re: Isn't serialization something inherently scary?

      afaik you only serialize the data, the class, the byte code, is not serialized. Be nice to know more details on the attack.

  5. Anonymous Coward
    Anonymous Coward

    Thanks a bunch

    The critical security vulnerability was discovered by researchers at Semmle, who today went public with their find. [...] Developers are advised to patch Apache Struts to version 2.5.13, which was released today.

    Very obliging of Semmle to give Apache time to issue a fix. Somewhat less obliging is not giving users any time to test and deploy the fix.

    1. Anonymous Coward
      Anonymous Coward

      Re: Thanks a bunch

      If you think hackers aren't reverse engineering patches and identifying flaws then you're kidding yourself. Going public at the same time as the patch is the best strategy I can see.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like