Admins Urged: Stop Everything and Patch New Apache Struts Flaw

Written by

Security experts are warning of another critical CVSS 10.0 vulnerability in Apache Struts, the framework that resulted in a major breach at Equifax last year.

Remote code execution vulnerability CVE 2018-11776 already has a working exploit published for it, meaning organizations should prioritize a fix.

Vendor Risk Based Security gave a “full stop, all hands on deck” warning to administrators to patch ASAP.

“Even though this issue has just been disclosed, VulnDB already has rated the ‘Social Risk Score’ is as High,” it added. “This means that based on the already strong social media presence discussing the vulnerability, the odds of active exploitation will be higher than average.”

Last year, credit agency Equifax was breached to the tune of over 140 million customers, nearly half the population of the US, after failing to patch a known Apache Struts vulnerability for several months.

However, the pressure to patch never relents: already this year there have been 1426 vulnerabilities disclosed with a CVSS rating of 10.0, according to Risk Based Security.

“For organizations who may say ‘well we don’t use Apache Struts, we’re safe!’, we want to remind you that Apache Struts is a third-party library of sorts and can be found in numerous high-profile products,” it added.

These include products from Cisco, Hitachi, IBM, MicroFocus, Oracle and VMware.

The bad news is that organizations appear overwhelmed with the patch load, according to new research from Kollective.

Its State of Software Delivery research revealed that 37% of US and UK IT managers believe “a failure to install updates” is their biggest security threat of 2018.

Yet over a quarter (27%) of respondents said it takes at least a month before they can install updates, a figure rising to 45% for businesses with over 100,000 endpoints.

“While it’s obviously important for IT teams to spend time testing new software and updates before rolling them out, our research has found that many of the delays in software distribution aren’t because of testing, but rather a lack of infrastructure,” explained Kollective CEO, Dan Vetras.

“Poorly constructed networks mean that, even those companies that have made a significant investment in security software, are still leaving their organizations vulnerable to attack. With a growing number of applications being left out of date, today’s businesses are creating their own backdoors for hackers, botnets and malware to attack.”

What’s hot on Infosecurity Magazine?