Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Oracle Products Affected by Exploited Apache Struts Flaw

Oracle informed customers over the weekend that some of the company’s products are affected by a critical Apache Struts 2 vulnerability that has been exploited in the wild.

Oracle informed customers over the weekend that some of the company’s products are affected by a critical Apache Struts 2 vulnerability that has been exploited in the wild.

The vulnerability, discovered in the open source development framework by Semmle researcher Man Yue Mo, is tracked as CVE-2018-11776 and it has been classified as critical. It allows an unauthenticated attacker to remotely execute arbitrary code on a targeted server by sending it a specially crafted request.

The existence of the flaw was disclosed on August 22, and despite the availability of only limited technical information, proof-of-concept (PoC) exploits emerged within days.

On around August 27, security firms started seeing attempts to find vulnerable Apache Struts 2 installations, and even attempts to exploit the security hole to deliver a cryptocurrency miner.

Oracle notified customers of CVE-2018-11776 on Saturday and warned that Apache Struts 2 is a component of several of its product distributions. However, the company noted that not all products incorporating Struts 2 are necessarily vulnerable.

“When the alwaysSelectFullNamespace option is enabled in a Struts 2 configuration file, and an ACTION tag is specified without a namespace attribute or a wildcard namespace, this vulnerability can be used to perform an unauthenticated remote code execution attack which can lead to a complete compromise of the targeted system,” Oracle said in its advisory.

The exact list of products impacted by the vulnerability is only available to Oracle customers, but the company revealed last year – when it warned users about another actively exploited Struts 2 flaw – that the framework is used in MySQL Enterprise Monitor, Communications Policy Management, FLEXCUBE Private Banking, Retail XBRi, Siebel, WebLogic Server, and various Financial Services and Insurance products.

Advertisement. Scroll to continue reading.

Customers have been provided information on the status of each impacted product and the availability of patches. Oracle’s next Critical Patch Update (CPU) is scheduled for October 16.

Apache Struts vulnerabilities can pose a significant risk to organizations. A flaw affecting the framework was exploited in the massive Equifax breach that impacted over 140 million individuals.

Related: One Year Later, Hackers Still Target Apache Struts Flaw

Related: “Zealot” Apache Struts Attacks Abuses NSA Exploits

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.