Source: Sophos Naked Security
Update. The Struts 2.3 and 2.5 versions now both have official patches.
We have updated our advice below accordingly. [2017-09-07T11:00Z]
It seems only yesterday – in fact, it was six months ago – that we wrote about a nasty security hole in Apache Struts.
Unfortunately, it’s time for déjà vu all over again, with a similar sort of hole that can apparently be exploited in a similar way.
Apache Struts is a software toolkit for creating Java-based web applications that run on your web server.
Struts can be used for building internet-facing services such as online shops or discussion forums: with Struts, you can generate web pages on the fly, tailor web content for the current user as they move around on your site, respond to web forms filled in by your visitors, and much more.
You can tell where this is going, given that an important part of any web application framework is dealing with the security risks implicit in requesting, acquiring and responding to data that is uploaded by outsiders.
And that’s where this Struts bug, known as CVE-2017-9805, comes in.
All applications should treat all input data as potentially hostile, even if it comes from an internal source that is supposedly under your own control. But when data comes from untrusted outsiders, you should go one step further, and assume that it is actively hostile – in other words, that it is booby-trapped in some way – unless and until you have good reason to think otherwise.