On Aug. 22, the Apache Software Foundation announced that a new critical remote code execution vulnerability was found in Apache Struts 2 (CVE-2018-11776). According to the Semmle Security Research Team, who first identified and reported the vulnerability, this flaw is "more critical" than the Struts vulnerability behind the massive data breach that exposed the personal information of 143 million Americans in March of last year. The remote code execution vulnerability impacts all supported versions of Apache Struts 2. This means that any applications developed using the framework, most popularly used for developing Java-based applications, are potentially at risk (depending on the configuration) — even when additional plugins have not been enabled.
In the State of Software Security Volume 8, CA Veracode found that most open source components remain unpatched once they're built into the software and that 88 percent of Java applications had at least one component-based flaw. In the analysis of the “Struts-Shock” flaw disclosed in March 2017, our research showed that 68 percent of Java applications using the Apache Struts 2 library were using a vulnerable version of the component in the weeks following the initial attacks.
from DZone.com Feed https://ift.tt/2oqotRK
No comments:
Post a Comment