Software Integrity Blog

Author Archive

Stephen Mort

stephen-mort

Stephen is a vulnerability analyst who has been involved in open source software for over decade.


Posts by Stephen Mort:

 

CVE-2017-5638: Anatomy of the Apache Struts vulnerability

With good reason, a lot of attention has been given to the recent vulnerability in the Struts MVC framework (CVE-2017-5638). Because of its extensive functionality, Struts is a widely used open source component in web applications. However, these same benefits and Struts’ integration with other frameworks can make upgrades and patches challenging. My goal is to help readers understand how an attacker might exploit this Apache Struts vulnerability. Apache Struts vulnerability Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server. This is full remote command execution and has been actively exploited in the wild from the initial disclosure.

Continue Reading...

Posted in Data Breach, Open Source Security | Comments Off on CVE-2017-5638: Anatomy of the Apache Struts vulnerability