Apache Struts is a software toolkit for creating Java-based web applications. Apache Struts can be used for building internet-facing services such as online shops or discussion forums.
A Struts security hole (CVE-2017-9805) has been found that allows Remote Code Execution (RCE). This means a remote attacker could carry out an operation that looks innocent (for example, a product search or a stock-level check), but that deliberately provoke a malicious side-effect such as tricking your server into leaking data, acting as a distribution point for malware, or opening up a hole to let the crooks sneak into another part of your network.
The following sections are covered:
Applies to the following Sophos products and versions
Not product specific
Sophos products are not affected by this bug because none of them use Apache Struts.
If you use Apache Struts with the REST plugin anywhere in your network, please consult Apache Struts 2 Documentation S2-052 for official advice on the changes you need to make to get rid of this vulnerability. Struts versions that are affected are 2.1.2 to 2.3.33 inclusive and 2.5 to 2.5.12 inclusive. If you aren't sure whether your web applications (or hosted services) are based on Apache Struts, ask your vendor or service provider.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.