News of a vulnerability in Apache Struts web application framework is coming in. And by all accounts, this won’t be an easy fix.
The code-execution zero-day bug was discovered on March 7, 2017. At that time, there were already multiple exploits of this vulnerability in the wild, leading to everything from information disclosure to stealing sensitive data.
It can also be used to upload malware into the server.
And it’s an easy exploit at that. So it’s no surprise that the victims are still pouring in, including government agencies, VMWare, Cisco and more.
(For an excellent rundown of what this vulnerability actually means and how exploitation would work, check out this explainer by Sophos.)
The tricky part
But what makes this vulnerability particularly bad is that it’s not a one-and-done fix. Many web applications are built on Apache Struts, and each of them will need to be updated and tested as well. And since the exploit is five-years-old, you can expect that it could take a while to test all these web applications.
Keep an eye out in the coming days for patches to these applications.