Jann Horn , the Google Project Zero researcher who discovered Vulnerability-related.DiscoverVulnerability the Meltdown and Spectre CPU flaws , has a few words for maintainers of Ubuntu and Debian : raise your game on merging kernel security fixes , you 're leaving users exposed for weeks . Horn earlier this week released an `` ugly exploit '' for Ubuntu 18.04 , which `` takes about an hour to run before popping a root shell '' . The kernel bug is a cache invalidation flaw in Linux memory management that has been tagged as Vulnerability-related.DiscoverVulnerability CVE-2018-17182 , reported Vulnerability-related.DiscoverVulnerability to Linux kernel maintainers on September 12 . Linux founder Linus Torvalds fixed Vulnerability-related.PatchVulnerability it in his upstream kernel tree two weeks ago , an impressively fast single day after Horn reported Vulnerability-related.DiscoverVulnerability the issue . And within days it was also fixed Vulnerability-related.PatchVulnerability in the upstream stable kernel releases 4.18.9 , 4.14.71 , 4.9.128 , and 4.4.157 . There 's also a fix in release 3.16.58 . However , end users of Linux distributions are n't protected until each distribution merges the changes from upstream stable kernels , and then users install that updated release Vulnerability-related.PatchVulnerability . Between those two points , the issue also gets exposure on public Vulnerability-related.DiscoverVulnerability mailing lists , giving both Linux distributions and would-be attackers a chance to take action . `` The security issue was announced Vulnerability-related.DiscoverVulnerability on the oss-security mailing list on 2018-09-18 , with a CVE allocation on 2018-09-19 , making the need to ship new distribution kernels to users clearer , '' Horn wrote in a Project Zero post published Vulnerability-related.DiscoverVulnerability Wednesday . But as he noted , as of Wednesday , Debian stable and Ubuntu releases 16.04 and 18.04 had not fixed Vulnerability-related.PatchVulnerability the issue , with the latest kernel update occurring around a month earlier . This means there 's a gap of several weeks between the flaw being publicly disclosed Vulnerability-related.DiscoverVulnerability and fixes reaching end users . However , the Fedora project was a little faster , pushing Vulnerability-related.PatchVulnerability a fix to users on 22 September . Canonical , the UK company that maintains Ubuntu , has since responded to Horn 's blog , and says fixes `` should be released Vulnerability-related.PatchVulnerability `` around Monday , October 1 . This is unlikely to be the last kernel bug Project Zero researchers find , and unless Ubuntu and other Linux distributions get their act together on upstream kernel fixes , they can expect to be named and shamed again .

Apache Struts is an open-source web development framework for Java web applications . On Monday , the Apache Struts developers fixed Vulnerability-related.PatchVulnerability a high-impact vulnerability in the framework 's Jakarta Multipart parser . The vulnerability is very easy to exploit and allows attackers to execute system commands with the privileges of the user running the web server process . What 's even worse is that the Java web application does n't even need to implement file upload functionality via the Jakarta Multipart parser in order to be vulnerable . According to researchers from Qualys , the simple presence on the web server of this component , which is part of the Apache Struts framework by default , is enough to allow exploitation . `` Needless to say we think this is a high priority issue and the consequence of a successful attack is dire , '' said Amol Sarwate , director of Vulnerability Labs at Qualys , in a blog post . Companies who use Apache Struts on their servers should upgrade Vulnerability-related.PatchVulnerability the framework to versions 2.3.32 or 2.5.10.1 as soon as possible . Researchers from Cisco Talos have observed `` a high number of exploitation events . '' Some of them only execute the Linux command whoami to determine the privileges of the web server user and are probably used for initial probing . Others go further and stop the Linux firewall and then download an ELF executable that 's executed on the server . `` The payloads have varied but include an IRC bouncer , a DoS bot , and a sample related to the bill gates botnet , '' the Talos researchers said in a blog post . According to researchers from Spanish outfit Hack Players , Google searches indicate Vulnerability-related.DiscoverVulnerability 35 million web applications that accept `` filetype : action '' uploads and a high percentage of them are likely vulnerable Vulnerability-related.DiscoverVulnerability . It 's somewhat unusual that attacks have started so quickly after the flaw was announced Vulnerability-related.DiscoverVulnerability and it 's not yet clear whether an exploit for the vulnerability already existed in Vulnerability-related.DiscoverVulnerability closed circles before Monday . Users who ca n't immediately upgrade Vulnerability-related.PatchVulnerability to the patched Struts versions can apply a workaround that consists of creating a Servlet filter for Content-Type that would discard any requests not matching multipart/form-data . Web application firewall rules to block such requests are also available from various vendors