Apache alerts developers of remote code execution flaw

The team that develops the Apache Struts framework is alerting users of a critical vulnerability that could allow remote code execution attacks. The Apache Foundation urged developers to update a key component of the framework in order to patch the flaw in an alert posted Monday.

Projects using Struts 2.3.36 and prior are affected, Apache said, because of a vulnerable commons-fileupload library. The up-to-date version already uses the latest component.

Developers need to update in order to use the latest version of the commons-fileupload library in order to “prevent your publicly accessible web site from being exposed to possible Remote Code Execution attacks,” the Apache team said.

Such an attack would allow hackers to potentially take over an unsuspecting developer’s server and install malware.

“Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload,” the warning said.

The flaw being addressed is apparently as old as 2016, according to its Common Vulnerabilities and Exposures (CVE) number (CVE-2016-1000031). It’s not clear why Apache is addressing it now.

Apache Struts is a widely used, open source web server software used to make Java web applications. An unpatched Struts vulnerability was the cause of the Equifax breach last year, which exposed the sensitive information of more than 145 million people.