A vulnerability has been discovered in Apache Struts2, a framework for providing application services through a web server.
What is the risk?
When successfully exploited, this vulnerability gives a cyber attacker the ability to run commands on the web server running the affected software. Exploiting this vulnerability does not require sophisticated technical skill. Active exploits have been widely detected across the Internet.
What is Harvard Information Security doing?
Harvard Information Security is identifying vulnerable sites and developing defensive possibilities, but if you are administering a web server with Struts2 do not wait for us to contact you.
What should I do?
If you are responsible for administrating a web server with Apache Struts2, you need to patch as soon as possible. Priority should be given to Internet-facing servers. Follow the patching guidance at https://cwiki.apache.org/confluence/display/WW/S2-045.