Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Oracle Products Affected by Exploited Apache Struts Flaw

Oracle informed customers over the weekend that some of the company’s products are affected by a critical Apache Struts 2 vulnerability that has been exploited in the wild.

Oracle informed customers over the weekend that some of the company’s products are affected by a critical Apache Struts 2 vulnerability that has been exploited in the wild.

The vulnerability, discovered in the open source development framework by Semmle researcher Man Yue Mo, is tracked as CVE-2018-11776 and it has been classified as critical. It allows an unauthenticated attacker to remotely execute arbitrary code on a targeted server by sending it a specially crafted request.

The existence of the flaw was disclosed on August 22, and despite the availability of only limited technical information, proof-of-concept (PoC) exploits emerged within days.

On around August 27, security firms started seeing attempts to find vulnerable Apache Struts 2 installations, and even attempts to exploit the security hole to deliver a cryptocurrency miner.

Oracle notified customers of CVE-2018-11776 on Saturday and warned that Apache Struts 2 is a component of several of its product distributions. However, the company noted that not all products incorporating Struts 2 are necessarily vulnerable.

“When the alwaysSelectFullNamespace option is enabled in a Struts 2 configuration file, and an ACTION tag is specified without a namespace attribute or a wildcard namespace, this vulnerability can be used to perform an unauthenticated remote code execution attack which can lead to a complete compromise of the targeted system,” Oracle said in its advisory.

Advertisement. Scroll to continue reading.

The exact list of products impacted by the vulnerability is only available to Oracle customers, but the company revealed last year – when it warned users about another actively exploited Struts 2 flaw – that the framework is used in MySQL Enterprise Monitor, Communications Policy Management, FLEXCUBE Private Banking, Retail XBRi, Siebel, WebLogic Server, and various Financial Services and Insurance products.

Customers have been provided information on the status of each impacted product and the availability of patches. Oracle’s next Critical Patch Update (CPU) is scheduled for October 16.

Apache Struts vulnerabilities can pose a significant risk to organizations. A flaw affecting the framework was exploited in the massive Equifax breach that impacted over 140 million individuals.

Related: One Year Later, Hackers Still Target Apache Struts Flaw

Related: “Zealot” Apache Struts Attacks Abuses NSA Exploits

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.