Please contact your support team if you have a question or need assistance for any Rackspace products, services, or articles.
On 6 March 2017, Apache posted security advisory S2-045 in regards to a Remote Code Execution (RCE) vulnerability in Struts, an open-source framework for creating java web applications. RCE vulnerabilities are of notable concern due to the fact that they allow attackers the ability to execute commands on the vulnerable machine without any direct access to the device. The vulnerability was assigned the designator CVE-2017-5638.
Apache listed Struts 2.3.5 –Struts 2.3.31 and Struts 2.5 –Struts 2.5.10 as affected by this vulnerability. Apache recommended upgrading to Struts 2.3.32 or Struts 126.96.36.199 to mitigate the efficacy of exploiting this vulnerability. These upgrades can be downloaded here:
Several sources have reported an increasing volume of attacks related to this vulnerability. Due to the weaponized proof of concept's availability and observed attack patterns, Rackspace recommends that customers evaluate their environments and apply the patch as applicable.
Should you have any questions, or require assistance, please contact your Rackspace Support Team.