Network Security, Vulnerability Management

Updates address vulnerabilities in Apache Struts versions 2.5 to 2.5.14

A pair of security updates released by the Apache Software Foundation patch vulnerabilities in Apache Struts versions 2.5 to 2.5.14 that would let a remote attacker take control of a system, according to a US-CERT alert.

The Apache Security Bulletin S2-054 resolves a outdated JSON-lib library in the REST Plugin, which would let miscreants execute denial of service (DoS) attacks “using malicious request with specially crafted JSON payload.”

The organization advised administrators to upgrade to Apache Struts 2.5.14.1 or use the Jackson handler rather than the default JSON-lib handler.

Apache Security Bulletin S2-055 patches a Jackson Deserializer in the Jackson JSON library. Administrators should upgrade to Apache Struts 2.5.14.1 or manually upgrade Jackson dependencies in a project to versions that are not vulnerable. 

Earlier in the fall it was revealed that Equifax twice missed a vulnerability in Apache Struts responsible for a breach that affected 145.5 million U.S. consumers.

Related

Lincoln Project loses $35K following BEC attack

U.S. political action committee Lincoln Project, which was formed in 2019 to counter former President Donald Trump's re-election bid, has been impacted by a business email compromise attack in February that resulted in the exfiltration of $35,000, reports The Record, a news site by cybersecurity firm Recorded Future.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.