Thank you for visiting the Rackspace Community
The The Community is live! Post new content or topics so our teams can assist.

Please contact your support team if you have a question or need assistance for any Rackspace products, services, or articles.

IMPORTANT NOTICE: CVE-2017-5638: Apache Struts Vulnerability

Former Member
Former Member

On 6 March 2017, Apache posted security advisory S2-045 in regards to a Remote Code Execution (RCE) vulnerability in Struts, an open-source framework for creating java web applications.  RCE vulnerabilities are of notable concern due to the fact that they allow attackers the ability to execute commands on the vulnerable machine without any direct access to the device. The vulnerability was assigned the designator CVE-2017-5638.  

Apache listed Struts 2.3.5 –Struts 2.3.31 and Struts 2.5 –Struts 2.5.10 as affected by this vulnerability.  Apache recommended upgrading to Struts 2.3.32 or Struts 2.5.10.1 to mitigate the efficacy of exploiting this vulnerability. These upgrades can be downloaded here: 

Several sources have reported an increasing volume of attacks related to this vulnerability. Due to the weaponized proof of concept's availability and observed attack patterns, Rackspace recommends that customers evaluate their environments and apply the patch as applicable.   

Should you have any questions, or require assistance, please contact your Rackspace Support Team. 

 

Additional references: 

https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/