Apache Struts 2 is critical component that helps developers to build websites using Java technology and already powers billions of web servers worldwide, including government, banking and corporate websites. A serious flow is found, named S2-020. As a flow it allowed hackers to steal data stored on web servers. The data may be passwords, sensitive information, credit/debit card details etc..

The biggest threat to web users is about the sensitive data stored in the web servers, that may be hackers can access by taking the advantages of the security flaw of Struts2 vulnerability. This type of attack is also know as remote code execution, and can pose a significant threat to a website as well as users.

Threat Technical Details: In Struts, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately, the correction was not sufficient.  A security fix release fully addressing this issue is in preparation and will be released as soon as possible.

The default upload mechanism in Apache Struts 2 is based on Commons FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor allows access to ‘class’ parameter which is directly mapped to getClass() method and allows ClassLoader manipulation.

To prevent the security flow the website operator/server administrator manually apply the security patch in the server. I am recommending each users, to avoid or limit the usage or transmitting the sensitive data till you get notice/info from website organization.