Oracle said some of its products suffer from the Apache Struts 2 vulnerability that has been undergoing exploitation.
The vulnerability, discovered in the open source development framework by Semmle researcher Man Yue Mo, has a case number of CVE-2018-11776 and it has been classified as critical.
It allows an unauthenticated attacker to remotely execute arbitrary code on a targeted server by sending it a specially crafted request.
The existence of the flaw was disclosed August 22, and despite the availability of only limited technical information, proof-of-concept (PoC) exploits emerged within days.
On August 27, security firms started seeing attempts to find vulnerable Apache Struts 2 installations, and even attempts to exploit the security hole.
Oracle notified customers of CVE-2018-11776 on Saturday and warned that Apache Struts 2 is a component of several of its product distributions. However, the company noted that not all products incorporating Struts 2 are necessarily vulnerable.
“When the alwaysSelectFullNamespace option is enabled in a Struts 2 configuration file, and an ACTION tag is specified without a namespace attribute or a wildcard namespace, this vulnerability can be used to perform an unauthenticated remote code execution attack which can lead to a complete compromise of the targeted system,” Oracle said in its advisory.