#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cloud Security

Apache | Breaking Cybersecurity News | The Hacker News

New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now

New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now

Dec 12, 2023 Vulnerability / Software Security
Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked as  CVE-2023-50164 , the vulnerability is  rooted  in a flawed "file upload logic" that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code. Struts is a Java framework that uses the Model-View-Controller ( MVC ) architecture for building enterprise-oriented web applications. Steven Seeley of Source Incite has been credited with discovering and reporting the flaw, which impacts the following versions of the software - Struts 2.3.37 (EOL) Struts 2.5.0 - Struts 2.5.32, and Struts 6.0.0 - Struts 6.3.0 Patches for the bug are available in versions 2.5.33 and 6.3.0.2 or greater. There are no workarounds that remediate the issue. "All developers are strongly advised to perform this upgr
Experts Warn of Ransomware Hackers Exploiting Atlassian and Apache Flaws

Experts Warn of Ransomware Hackers Exploiting Atlassian and Apache Flaws

Nov 07, 2023 Cyber Threat / Malware
Multiple ransomware groups have begun to actively exploit recently disclosed flaws in Atlassian Confluence and Apache ActiveMQ. Cybersecurity firm Rapid7  said  it observed the exploitation of  CVE-2023-22518  and  CVE-2023-22515  in multiple customer environments, some of which have been leveraged for the deployment of  Cerber  (aka  C3RB3R ) ransomware. Both vulnerabilities are critical, allowing threat actors to create unauthorized Confluence administrator accounts and lead to a loss of confidentiality, integrity, and availability. Atlassian, on November 6,  updated its advisory  to note that it observed "several active exploits and reports of threat actors using ransomware" and that it is revising the CVSS score of the flaw from 9.1 to 10.0, indicating maximum severity. The escalation, the Australian company said, is due to the change in the scope of the attack. Attack chains involve mass exploitation of vulnerable internet-facing Atlassian Confluence servers to
Timing is Everything: The Role of Just-in-Time Privileged Access in Security Evolution

Timing is Everything: The Role of Just-in-Time Privileged Access in Security Evolution

Apr 15, 2024Active Directory / Attack Surface
To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access. This approach to  privileged identity management  aims to mitigate the risks associated with prolonged high-level access by granting privileges temporarily and only when necessary, rather than providing users with continuous high-level privileges. By adopting this strategy, organizations can enhance security, minimize the window of opportunity for potential attackers and ensure that users access privileged resources only when necessary.  What is JIT and why is it important?   JIT privileged access provisioning  involves granting privileged access to users on a temporary basis, aligning with the concept of least privilege. This principle provides users with only the minimum level of access required to perform their tasks, and only for the amount of time required to do so. One of the key advantages of JIT provisioning
HelloKitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability

HelloKitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability

Nov 02, 2023 Threat Intelligence / Vulnerability
Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open-source message broker service that could result in remote code execution. "In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations," cybersecurity firm Rapid7  disclosed  in a report published Wednesday. "Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October." The intrusions are said to involve the exploitation of  CVE-2023-46604 , a remote code execution vulnerability in Apache ActiveMQ that allows a threat actor to run arbitrary shell commands. It's worth noting that the  vulnerability  carries a CVSS score of 10.0, indicating maximum severity. It has been  addressed  in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3
cyber security

WATCH: The SaaS Security Challenge in 90 Seconds

websiteAdaptive ShieldSaaS Security / Cyber Threat
Discover how you can overcome the SaaS security challenge by securing your entire SaaS stack with SSPM.
Apache OpenMeetings Web Conferencing Tool Exposed to Critical Vulnerabilities

Apache OpenMeetings Web Conferencing Tool Exposed to Critical Vulnerabilities

Jul 20, 2023 Vulnerability / Software Security
Multiple security flaws have been disclosed in Apache OpenMeetings, a web conferencing solution, that could be potentially exploited by malicious actors to seize control of admin accounts and run malicious code on susceptible servers. "Attackers can bring the application into an unexpected state, which allows them to take over any user account, including the admin account," Sonar vulnerability researcher Stefan Schiller  said  in a report shared with The Hacker News. "The acquired admin privileges can further be leveraged to exploit another vulnerability allowing attackers to execute arbitrary code on the Apache OpenMeetings server." Following responsible disclosure on March 20, 2023, the vulnerabilities were addressed with the release of  Openmeetings version 7.1.0  that was released on May 9, 2023. The list of three flaws is as follows - CVE-2023-28936  (CVSS score: 5.3) - Insufficient check of invitation hash CVE-2023-29032  (CVSS score: 8.1) - An authenti
Apache Superset Vulnerability: Insecure Default Configuration Exposes Servers to RCE Attacks

Apache Superset Vulnerability: Insecure Default Configuration Exposes Servers to RCE Attacks

Apr 26, 2023 Server Security / Vulnerability
The maintainers of the  Apache Superset  open source data visualization software have released fixes to plug an insecure default configuration that could lead to remote code execution. The vulnerability, tracked as  CVE-2023-27524  (CVSS score: 8.9), impacts versions up to and including 2.0.1 and relates to the use of a default SECRET_KEY that could be abused by attackers to authenticate and access unauthorized resources on internet-exposed installations. Naveen Sunkavally, the chief architect at Horizon3.ai, described the issue as "a dangerous default configuration in Apache Superset that allows an unauth attacker to gain remote code execution, harvest credentials, and compromise data." It's worth noting that the flaw does not affect Superset instances that have changed the default value for the SECRET_KEY config to a more cryptographically secure random string. The cybersecurity firm, which found that the SECRET_KEY is defaulted to the value "\x02\x01thisismy
Hackers Started Exploiting Critical "Text4Shell" Apache Commons Text Vulnerability

Hackers Started Exploiting Critical "Text4Shell" Apache Commons Text Vulnerability

Oct 21, 2022
WordPress security company Wordfence on Thursday said it started detecting exploitation attempts targeting the newly disclosed flaw in Apache Commons Text on October 18, 2022. The vulnerability, tracked as  CVE-2022-42889  aka Text4Shell , has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and affects versions 1.5 through 1.9 of the library. It's also similar to the now infamous  Log4Shell  vulnerability in that the  issue  is rooted in the manner  string substitutions  carried out during  DNS, script, and URL lookups  could lead to the execution of arbitrary code on susceptible systems when passing untrusted input. "The attacker can send a crafted payload remotely using 'script,' 'dns,' and 'url' lookups to achieve arbitrary remote code execution," the Zscaler ThreatLabZ team explained . A  successful exploitation of the flaw  can enable a threat actor to open a reverse shell connection with the vulnerable
QNAP Advises Users to Update NAS Firmware to Patch Apache HTTP Vulnerabilities

QNAP Advises Users to Update NAS Firmware to Patch Apache HTTP Vulnerabilities

Apr 22, 2022
Network-attached storage (NAS) appliance maker QNAP on Thursday said it's investigating its lineup for potential impact arising from two security vulnerabilities that were addressed in the Apache HTTP server last month. The critical flaws, tracked as  CVE-2022-22721 and CVE-2022-23943 , are rated 9.8 for severity on the CVSS scoring system and impact Apache HTTP Server versions 2.4.52 and earlier - CVE-2022-22721  - Possible buffer overflow with very large or unlimited LimitXMLRequestBody CVE-2022-23943  - Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server Both the vulnerabilities, alongside CVE-2022-22719 and CVE-2022-22720, were remediated by the project maintainers as part of  version 2.4.53 , which was shipped on March 14, 2022. "While CVE-2022-22719 and CVE-2022-22720 do not affect QNAP products, CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod_sed in Apache HTTP Server on their QNAP device,"
High-Severity RCE Security Bug Reported in Apache Cassandra Database Software

High-Severity RCE Security Bug Reported in Apache Cassandra Database Software

Feb 16, 2022
Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to gain remote code execution (RCE) on affected installations. "This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra," Omer Kaspi, security researcher at DevOps firm JFrog,  said  in a technical write-up published Tuesday. Apache Cassandra is an open-source, distributed, NoSQL database management system for managing very large amounts of structured data across commodity servers. Tracked as  CVE-2021-44521  (CVSS score: 8.4), the vulnerability concerns a specific scenario where the configuration for user-defined functions ( UDFs ) are enabled, effectively allowing an attacker to leverage the  Nashorn  JavaScript engine, escape the sandbox, and achieve execution of untrusted code. Specifically, it was fou
New Apache Log4j Update Released to Patch Newly Discovered Vulnerability

New Apache Log4j Update Released to Patch Newly Discovered Vulnerability

Dec 29, 2022
The Apache Software Foundation (ASF) on Tuesday rolled out fresh patches to contain an arbitrary code execution flaw in Log4j that could be abused by threat actors to run malicious code on affected systems, making it the fifth security shortcoming to be discovered in the tool in the span of a month. Tracked as  CVE-2021-44832 , the vulnerability is rated 6.6 in severity on a scale of 10 and impacts all versions of the logging library from 2.0-alpha7 to 2.17.0 with the exception of 2.3.2 and 2.12.4. While Log4j versions 1.x are not affected, users are recommended to upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later). "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JND
Second Log4j Vulnerability (CVE-2021-45046) Discovered — New Patch Released

Second Log4j Vulnerability (CVE-2021-45046) Discovered — New Patch Released

Dec 15, 2021
UPDATE — The severity score of CVE-2021-45046, originally classified as a DoS bug, has since been revised from 3.7 to 9.0, to reflect the fact that an attacker could abuse the vulnerability to send a specially crafted string that leads to "information leak and remote code execution in some environments and local code execution in all environments." The Apache Software Foundation (ASF) has pushed out a new fix for the Log4j logging utility after the previous patch for the recently disclosed  Log4Shell  exploit was deemed as "incomplete in certain non-default configurations." The second vulnerability — tracked as  CVE-2021-45046  — is rated 3.7 out of a maximum of 10 on the CVSS rating system and affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0, which the project maintainers shipped last week to address a critical remote code execution vulnerability (CVE-2021-44228) that could be abused to infiltrate and take over systems. The
New Patch Released for Actively Exploited 0-Day Apache Path Traversal to RCE Attacks

New Patch Released for Actively Exploited 0-Day Apache Path Traversal to RCE Attacks

Oct 08, 2021
The Apache Software Foundation on Thursday released additional security updates for its HTTP Server product to remediate what it says is an "incomplete fix" for an  actively exploited  path traversal and remote code execution flaw that it patched earlier this week. CVE-2021-42013 , as the new vulnerability is identified as, builds upon  CVE-2021-41773 , a flaw that impacts Apache web servers running version 2.4.49 and involves a  path normalization  bug that could enable an adversary to access and view arbitrary files stored on a vulnerable server. Although the flaw was addressed by the maintainers in version 2.4.50, a day after the patches were released it became known that the weakness could also be abused to gain remote code execution if the "mod_cgi" module was loaded and the configuration "require all denied" was absent, prompting Apache to issue another round of emergency updates. "It was found that the fix for CVE-2021-41773 in Apache HTT
Apache Warns of Zero-Day Exploit in the Wild — Patch Your Web Servers Now!

Apache Warns of Zero-Day Exploit in the Wild — Patch Your Web Servers Now!

Oct 05, 2021
Apache has issued patches to address two security vulnerabilities, including a path traversal and file disclosure flaw in its HTTP server that it said is being actively exploited in the wild. "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root," the open-source project maintainers  noted  in an advisory published Tuesday. "If files outside of the document root are not protected by 'require all denied' these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts." The flaw, tracked as  CVE-2021-41773 , affects only Apache HTTP server version 2.4.49. Ash Daulton and cPanel Security Team have been credited with discovering and reporting the issue on September 29, 2021. Source: PT SWARM Also resolved by Apache is a null pointer dereference vulnerability observed during pr
New Cryptojacking Malware Targeting Apache, Oracle, Redis Servers

New Cryptojacking Malware Targeting Apache, Oracle, Redis Servers

Feb 01, 2021
A financially-motivated threat actor notorious for its cryptojacking attacks has leveraged a revised version of their malware to target cloud infrastructures using vulnerabilities in web server technologies, according to new research. Deployed by the China-based cybercrime group  Rocke , the Pro-Ocean cryptojacking malware now comes with improved rootkit and worm capabilities, as well as harbors new evasion tactics to sidestep cybersecurity companies' detection methods, Palo Alto Networks' Unit 42 researchers  said  in a Thursday write-up. "Pro-Ocean uses known vulnerabilities to target cloud applications," the researchers detailed. "In our analysis, we found Pro-Ocean targeting Apache ActiveMQ ( CVE-2016-3088 ), Oracle WebLogic ( CVE-2017-10271 ) and Redis (unsecure instances)." "Once installed, the malware kills any process that uses the CPU heavily, so that it's able to use 100% of the CPU and mine Monero efficiently." First documented
Google Researcher Reported 3 Flaws in Apache Web Server Software

Google Researcher Reported 3 Flaws in Apache Web Server Software

Aug 25, 2020
If your web-server runs on Apache, you should immediately install the latest available version of the server application to prevent hackers from taking unauthorized control over it. Apache recently fixed multiple vulnerabilities in its web server software that could have potentially led to the execution of arbitrary code and, in specific scenarios, even could allow attackers to cause a crash and denial of service. The flaws, tracked as CVE-2020-9490, CVE-2020-11984, CVE-2020-11993, were uncovered by Felix Wilhelm of Google Project Zero, and have since been addressed by the Apache Foundation in the latest version of the software ( 2.4.46 ). The first of the three issues involve a possible remote code execution vulnerability due to a buffer overflow with the "mod_uwsgi" module (CVE-2020-11984), potentially allowing an adversary to view, change, or delete sensitive data depending on the privileges associated with an application running on the server. "[A] Malici
GhostCat: New High-Risk Vulnerability Affects Servers Running Apache Tomcat

GhostCat: New High-Risk Vulnerability Affects Servers Running Apache Tomcat

Feb 28, 2020
If your web server is running on Apache Tomcat, you should immediately install the latest available version of the server application to prevent hackers from taking unauthorized control over it. Yes, that's possible because all versions (9.x/8.x/7.x/6.x) of the Apache Tomcat released in the past 13 years have been found vulnerable to a new high-severity (CVSS 9.8) ' file read and inclusion bug '—which can be exploited in the default configuration. But it's more concerning because several proof-of-concept exploits ( 1 , 2 , 3 , 4  and more ) for this vulnerability have also been surfaced on the Internet, making it easy for anyone to hack into publicly accessible vulnerable web servers. Dubbed ' Ghostcat ' and tracked as CVE-2020-1938 , the flaw could let unauthenticated, remote attackers read the content of any file on a vulnerable web server and obtain sensitive configuration files or source code, or execute arbitrary code if the server allows file uploa
Apache Tomcat Patches Important Remote Code Execution Flaw

Apache Tomcat Patches Important Remote Code Execution Flaw

Apr 15, 2019
The Apache Software Foundation (ASF) has released new versions of its Tomcat application server to address an important security vulnerability that could allow a remote attacker to execute malicious code and take control of an affected server. Developed by ASF, Apache Tomcat is an open source web server and servlet system, which uses several Java EE specifications such as Java Servlet, JavaServer Pages (JSP), Expression Language, and WebSocket to provide a "pure Java" HTTP web server environment for Java concept to run in. The remote code execution vulnerability ( CVE-2019-0232 ) resides in the Common Gateway Interface (CGI) Servlet when running on Windows with enableCmdLineArguments enabled and occurs due to a bug in the way the Java Runtime Environment (JRE) passes command line arguments to Windows. Since the CGI Servlet is disabled by default and its option enableCmdLineArguments is disabled by default in Tomcat 9.0.x, the remote code execution vulnerability has
New Apache Web Server Bug Threatens Security of Shared Web Hosts

New Apache Web Server Bug Threatens Security of Shared Web Hosts

Apr 02, 2019
Mark J Cox, one of the founding members of the Apache Software Foundation and the OpenSSL project, today posted a tweet warning users about a recently discovered important flaw in Apache HTTP Server software. The Apache web server is one of the most popular, widely used open-source web servers in the world that powers almost 40 percent of the whole Internet. The vulnerability, identified as CVE-2019-0211 , was discovered by Charles Fol , a security engineer at Ambionics Security firm, and patched by the Apache developers in the latest version 2.4.39 of its software released today. The flaw affects Apache HTTP Server versions 2.4.17 through 2.4.38 and could allow any less-privileged user to execute arbitrary code with root privileges on the targeted server. "In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interprete
New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers

New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers

Aug 22, 2018
Semmle security researcher Man Yue Mo has disclosed a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. Apache Struts is an open source framework for developing web applications in the Java programming language and is widely used by enterprises globally, including by 65 percent of the Fortune 100 companies, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS. The vulnerability ( CVE-2018-11776 ) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations. The newly found Apache Struts exploit can be triggered just by visiting a specially crafted URL on the affected web server, allowing attackers to execute malicious code and eventually take complete control over the targeted server running the vulnerable applicatio
Cybersecurity Resources