According to researchers at LGTM, the Struts framework is used by many organizations, including Lockheed Martin, Vodafone, Virgin Atlantic and IRS. 'Not to mention, the vulnerability is also very easy to use, all you need is a web browser,' said Man Yue Mo, researcher at LGTM. The attacker only needs to include the malicious XML code in a separate format to exploit this vulnerability on the server.
Successful exploits will allow hackers to take control of the entire infected server, thereby entering other systems on the same network.
Mo said that this error is due to the conversion of insecure data structures, similar vulnerabilities on Apache Commons Collections were discovered by Chris Frohoff and Gabriel Lawrence in 2015, also allowing the execution of random code.
Many Java applications have been affected by similar vulnerabilities in recent years. This vulnerability has been fixed from Struts 2.5.13 so administrators should update the Apache Struts they are using.