Ransomware raids aimed at specific targets with big pockets. Another Struts vulnerability — but scarier than last year’s. An Android spyware that records your phone calls. These are some of the security news that have caught our attention.
New Struts Bug Should Be Patched Yesterday
Apache patched a serious remote code execution vulnerability (CVE-2018-11776) affecting all supported versions — 2.3 to 2.3.34 and 2.5 to 2.5.16 — of the widely used Struts Java application framework. The bug is considered more dangerous than the one disclosed last year in Struts that was exploited in the massive data breach at Equifax.
In the Apache security bulletin, the vulnerability is rated “Critical” and users are advised to immediately upgrade to Struts 2.3.35 or Struts 2.5.17.
The remote code execution becomes possible “when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace” and “when using url tag which doesn’t have value and action set,” the bulletin reads.
Organizations should upgrade to the patched Struts versions even if their applications aren’t vulnerable to this bug. “An inadvertent change to a Struts configuration file may render the application vulnerable in the future,” stated Semmle, whose security researcher Man Yue Mo discovered this vulnerability.