By the Data Security & Privacy Team

Companies using Apache Struts 2.0 should be aware of a possible security breach risk that could give rise to breach notification duties.  On August 22, 2018, the Apache Software Foundation posted updates regarding the correction of a vulnerability recently found in its web application platform called Apache Struts.

Apache Struts is an open source web application framework that uses model-view-controller architecture. A security bulletin was placed on https:\\ by Man Yue Mo from the Semmle Security Research team, which noted a flaw in the Struts 2 application that would allow a hacker to perform a remote code executive “attack when namespace value isn’t set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace[.]”[1] There is a similar possible attack “when using [an] url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.”[2]  This web application and vulnerability may affect any entity using Apache Struts, from small businesses to Fortune 100 companies.

The description of the vulnerability has been posted online, and this “blueprint” is suspected to provide an easy “how-to” guide for attackers. Attackers may exploit websites running the Struts 2.0 program by sending requests to hosted sites, to which the web servers will respond by running code commands of the attacker’s choosing. This would allow cyber attackers to undertake malicious acts such as copying and/or deleting consumer data or initiating other malware. Indeed, Equifax was forced to disclose a similar vulnerability in its Apache Struts software in 2017 after 143 million people had their sensitive information compromised in a July 29, 2017 security breach.

If you suspect that your company uses Apache Struts 2.0 and security has been breached in Louisiana, please review and consider your potential obligations under the recent changes to Louisiana’s Database Security Breach Notification Law and contact your data security attorney.