6.9.17

Critical security flaw leaves Fortune 100 firms vulnerable

Fortune 100 companies could be open to hackers after a security vulnerability was discovered in widely used server software, security researchers have said.

The discovered weakness would allow hackers to remotely run code on servers that utilize the REST plugin from Apache Struts, and it is reported that all versions since 2008 are affected.

Due to the vulnerability, hackers could easily take control of an affected server that uses the popular Java MVC framework, effectively leaving highly sensitive data at the mercy of would-be cybercriminals.

The issue is estimated to affect 65% of Fortune 100 companies including organizations such as Citigroup, Vodafone, Virgin Atlantic, along with several US governmental websites such as the Internal Revenue Service (IRS) and Department of Motor Vehicles.

According to the researchers the risk is so high because the framework used is to design and build “publicly-accessible web applications.”

One of the security researchers who discovered the vulnerability, Man Yue Mo, outlined the severity of the issue: “Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser.”

Struts released a full patch on Tuesday that they say will fix the vulnerability and are urging users to upgrade to the latest version – 2.5.13. – immediately. The company has identified the patch as critical with the upgrade able to deal with “Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads.”

The researchers developed an exploit but have not released it in order to give companies using the software time to patch their systems. It is currently not known if any companies have been affected by the security vulnerability.