• Skip to Content
  • Skip to Main Navigation
  • Skip to Search

Indiana University Indiana University IU

Open Search
  • Personal Preparedness
    • Email & phishing scams
    • Identity verification
    • IU passphrases
    • Hardware & software security
      • Laptop & mobile device security
      • Malware, scareware, & ransomware
      • Wearable technologies
      • Use of survey software
    • File sharing & copyright
      • Contesting copyright infringement notices
      • Disabling peer-to-peer file sharing
      • Copyright tutorial
      • Copyright infringement incident resolution
    • Vulnerability Disclosure Guidance
    • Keeping data safe
    • Web privacy
    • Account privileges
    • Remote Desktop
  • Information & IT Policies
    • Policy Hierarchy
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • IT-12 Security Standards
  • Information Security & Privacy Program
    • Scope
    • Goals & Objectives
    • Governance
    • Principles
    • Safeguards
      • Risk assessment and treatment
      • Policy administration
      • Organization
      • Asset management
      • Human resources
      • Physical & environmental security
      • Communications & operations management
      • Identity & access control
      • Information systems acquisition, development, and maintenance
      • Incident management
      • Business continuity management
      • Compliance
    • Charter
  • Resources for IT Staff
    • Information security best practices
    • SSL/TLS certificates
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
      • Privacy Notice Generator
      • Incident Response Webservice
  • About
    • Glossary of Terms
    • Trustees Resolution
  • Contact
  • Report an Incident
    • Report Privacy Incident or Request Assistance
    • Emergency IT Incidents
    • Managing Incidents
    • Identity Theft
    • Reporting Suspected Sensitive Data Exposures
    • Reporting Suspected HIPAA Data Exposures

Information Security & Policy

  • Home
  • Personal Preparedness
    • Email & phishing scams
    • Identity verification
    • IU passphrases
    • Hardware & software security
    • File sharing & copyright
    • Vulnerability Disclosure Guidance
    • Keeping data safe
    • Web privacy
    • Account privileges
    • Remote Desktop
  • Information & IT Policies
    • Policy Hierarchy
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • IT-12 Security Standards
  • Information Security & Privacy Program
    • Scope
    • Goals & Objectives
    • Governance
    • Principles
    • Safeguards
    • Charter
  • Resources for IT Staff
    • Information security best practices
    • SSL/TLS certificates
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
  • Search
  • About
  • Contact
  • Report an Incident
  • Home
  • Security Bulletins
  • UPDATE: Exploit Code Available: Remote Code Execution in Apache Struts 2

UPDATE: Exploit code available: Remote code execution in Apache Struts 2

Wednesday, September 06, 2017

UPDATE 9/8/2017

The University Information Security Office (UISO) would like to draw attention to an additional vulnerability found in Apache Struts 2. A remote code execution vulnerability exists when a developer uses an unintentional expression in the FreeMarker tag. This vulnerability affects Apache Struts versions 2.0.1- 2.3.33 and 2.5 - 2.5.10. Upgrading Apache Struts 2 to version 2.5.13 will mitigate both vulnerabilities mentioned in this bulletin. If you patched for the vulnerability announced September 5, no further action is needed to protect against this new vulnerability.

Background

On Sept. 5, 2017, a critical remote code execution vulnerability was identified in the REST plugin of Apache Struts 2. At the time of writing there are no reports of this vulnerability being exploited in the wild, however, due to the wide use of Apache Struts 2 with the REST plugin, reports of successful exploitation are anticipated as exploit code has been made publicly available.

Impact

Applications that have been developed with the Apache Struts 2 framework and which leverage the REST plugin are vulnerable to attack. Attackers can gain access to the server by sending a specially crafted web request to the vulnerable application. Upon successful exploitation of the vulnerability, attackers can execute arbitrary code. Web applications that are available via the Internet are more likely to be attacked; however, any web application that uses Apache Struts 2 and the REST plugin are vulnerable. The weakness in the REST plugin of Apache Struts 2 is associated with the method that deserializes untrusted data.

Please see UISO Recommendations and Workarounds below for further steps that must be taken.

Platforms Affected

  • Apache Struts versions 2.5 through 2.5.12
  • Apache Struts versions 2.0.1 through 2.3.33

Local observations

Using network sensors, the University Information Security Office monitors the IU network for exploitation attempts of networked devices, including vulnerable applications. The successful compromise of a device will result in the device being blocked from the network.

Apache Struts 2 is part of Extra Packages for Enterprise Linux (EPEL). Indiana University's Red Hat (RHEL) Satellite distributes patches for the 1.3 branch of Apache Struts, not Struts 2.

UISO recommendations

  • Upgrade Apache Struts 2 to version 2.5.13.
  • Subscribe to relevant email lists and review blogs for any mention of security bulletins for Apache Struts 2.
  • Have your web applications and sites scanned for vulnerabilities by the UISO.

Workarounds

No workarounds exist to mitigate this vulnerability. Developers can disable the Struts REST plugin, however this will likely break application functionality.

Information Security & Policy resources

  • Leading in Cybersecurity
  • IU Data Management

Indiana University

Accessibility | College Scorecard | Privacy Notice | Copyright © 2025 The Trustees of Indiana University