September 11, 2017 By Douglas Bonderud 2 min read

On Sept. 5, code review firm lgtm.com reported a critical flaw in open source Apache Struts to the code’s development team. Although it had already developed a working security breach vector, lgtm did not immediately disclose this information while Apache developers created and deployed a patch.

However, as noted by SecurityWeek, it didn’t take cybercriminals long to create their own versions — multiple exploits and a Metasploit module emerged within hours of the flaw going public. What’s more, the patch alone may not be enough to safeguard corporate systems.

No REST for the Wicked

Flaw CVE-2017-9805 affects any app using Struts versions dating back to 2008. According to TechSpot, a remote code execution (RCE) attack is possible when the Struts REST plugin is used with XStream handler to deserialize untrusted XML requests. Organizations such as Lockheed Martin, Citigroup, Virgin Atlantic and the IRS use this plugin, and several airline booking systems also rely on Struts to manage reservations.

The official Apache statement about this vulnerability noted no workaround is possible and recommended that organizations remove the REST plugin when not in use or limit its permissions to reduce the chance of compromise.

As ZDNet pointed out, many experts are taking an even stronger stand — Man Yue Mo of lgtm advised that all threat actors need is a web browser to carry out attacks, while Bas van Schaik of software engineering firm Semmle said, “I can’t stress how incredibly easy this is to exploit. If you know what request to send, you can start any process on the web server running a vulnerable application.”

Security Breach: Patch Imperfect?

Researchers at lgtm did the right thing: While they had a working exploit in hand, they kept it under wraps and reached out to Apache. The open source company worked quickly to create a patch, then released it along with a statement urging companies to limit Struts use and update existing apps. And that’s all it took. Within hours, cybercriminals developed viable exploit modules, and in less than two days, security firms saw evidence of coordinated attacks.

Here’s the problem — even with a solid patch available, not every company will implement the new code quickly. Some may still be unaware of the problem, while others might delay the patch because of system upgrades or maintenance. This gives threat actors incentive to work as quickly as possible to reverse-engineer vulnerabilities and attempt to crack servers still running old versions.

And as the TechSpot piece pointed out, the patch itself may not be enough, since entire apps may need to be rewritten using the updated Struts version, then tested again for new vulnerabilities and sent back out into the wild. If companies don’t catch these underlying Struts soft spots, the results could be disastrous.

Bottom line? The lgtm team followed protocol, and Apache fast-tracked a patch. But malicious actors are familiar with this timeline — they know that by putting in the work up front, it’s possible to compromise networks that should be patched and will be patched, but just haven’t gotten there yet. It’s a wake-up call for information security pros: Speed, not sophistication, is the biggest risk factor in a corporate security breach.

More from

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces.AI in every pocketHaving sophisticated AI…

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today