live casino online

Users of the Apache Struts are urged to update to its latest version after security researchers uncovered a critical remote code execution (RCE) vulnerability in the popular open-source Java-based web application development framework. The Apache Software Foundation accordingly issued a security advisory () that provides technical details and guidelines on the security flaw.?

What is the vulnerability about?

The security flaw () is caused by insufficient validation of untrusted user data in the core of the Struts framework. This causes Object-Graph Navigation Language () expressions ¡ª used to set properties in Java objects ¡ª sent through crafted Hypertext Transfer Protocol (HTTP) requests to be evaluated, which can lead to potential RCE.

Depending on the Struts configuration, attackers can execute remote code on a server when they send a malicious HTTP request with an OGNL expression in the Uniform Resource Identifier () query, which is used to identify resources (e.g., documents).

Based on previous RCE vulnerabilities in Apache Struts, many involved using OGNL expressions. Using OGNL could make it easy for attackers to execute arbitrary code remotely as Apache Struts uses OGNL for most of its processes.

[InfoSec Guide: Mitigating Web Injections]?

Who is affected by this vulnerability?

Users of Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 are affected. Note that whether or not an Apache Struts-based web application is vulnerable to this security flaw largely depends on its exact configuration and architecture.

[READ: ]?

What is the impact?

The worst-case scenario is malicious code being remotely executed on the vulnerable server. Given how ubiquitous Apache Struts is in web application development, the impact can be daunting, given that the framework is being used by at least 65 percent of Fortune 100 businesses. The Equifax data breach, which was caused by a vulnerability in Apache Struts, is a , exposing the personally identifiable information of 145.5 million U.S. citizens.

Conversely, there are to successfully exploiting this vulnerability. For example, the hacker must be able to know which web application and what ¡°¡± is susceptible to the security flaw. In terms of actions, the (i.e., values or code returned to a query) should be a , , or . In another attack vector, the hacker must know which templates and parameter to be attacked.

[READ: Vulnerabilities in Banking-Related Web Applications Highlight Significance of Secure DevOps]?

What does this vulnerability mean for developers and security teams?

For web application developers, particularly those adopting DevOps, security shouldn¡¯t be sacrificed. While rapid development and delivery helps enrich customer and user experience, applications should also be secure by design. As recent data breaches have shown, a vulnerable web application framework, server, or network can cause significant damage beyond an enterprise¡¯s bottom line.

On the other hand, security teams should empower development, operations, and other IT teams to adopt security in their business processes. Baking security into an application development life cycle, for instance, will help quickly identify if the version of Apache Struts being used is unsecure. Also, through automated tools, security and development teams can determine if risks are being introduced through third-party components. And true to the DevOps culture, these can help promptly uncover and address vulnerabilities.?

With insights from William Gamazo Sanchez and Shriram Rananavare (live casino online Vulnerability Researchers)

Updated as of August 27, 2018, 7:33 PM PDT, to include solution for live casino online Deep Discovery.
Updated as of August 28, 2018, 2:13 AM PDT, to clarify the caveats for exploiting the vulnerability.