Security researchers announced (https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement), on 05 September 2017, a critical remote code execution vulnerability in Apache Struts.
All Struts versions from 2008 are affected making web applications using the REST plugin vulnerable. It is recommended to upgrade to Apache Struts version 2.5.13 or 2.3.34.
Exploitation of the vulnerability allows an attacker to execute arbitrary code on the application server. This can be exploited via a web request that takes advantage of the way Struts de-serializes untrusted data.
It has been claimed that at least 65% of Fortune 100 companies are using web applications built with the Struts framework. Additionally there have been reports of multiple working exploits, for CVE-2017-9805, being observed in the wild.
Since the announcement of CVE-2017-9805, the AppCheck research and development team have created a plugin to detect this in vulnerable Struts applications.
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)