Critical Apache Struts Vulnerability Exploited in Live Attacks

A severe vulnerability has been detected in Apache Struts 2 framework.  The vulnerability allows for full remote code execution and is actively being exploited in the wild.

 

The UBC Cybersecurity team has been in contact with all known owners of applications relying on Apache Struts.  If you are responsible for an application that uses the Struts framework and have not been contacted by us, please email Aaron Heck (aaron.heck@ubc.ca) immediately.

 

Severity

  • Critical

 

CVE Number

  • CVE-2018-11776

 

Impacted Platforms

  • Apache Struts 2.3 – Struts 2.3.34, Struts 2.5 – Struts 2.5.16
  • Unsupported Struts versions (ie: all versions < 2.3) may also be affected

 

Recommended Actions

 

More information