Proof-of-concept exploit published shortly after disclosure of critical Apache Struts 2 flaw

Two days after the Apache Software Foundation released a software update to address a critical remote code execution vulnerability in its Apache Struts 2 web app development framework, researchers from Recorded Future revealed that they discovered a proof-of-concept exploit on GitHub.

They also uncovered a Python script that helps allow for easy exploitation, as well as chatter regarding the bug's exploitation in Chinese and Russian underground forums.

The flaw, CVE-2018-11776, is the result of improper validation of trusted user data in the very core of Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16. Attackers can exploit this "by injecting their own namespace as a parameter in an HTTP request, explained an Aug. 22 blog post by software analytics firm Semmle, whose researcher discovered the problem.

“Semmle will not confirm whether the reported PoC that has been published is a working PoC. If it is, attackers now have a quicker way into the enterprise," said Semmle CEO Oege de Moor, in response to the proof-of-concept report.

Allan Liska, senior security architect at Recorded Future, warned in a company blog post last week that the vulnerability appears to be easier to exploit than the Struts flaw used in the 2017 Equifax breach "because it does not require the Apache Struts installation to have any additional plug-ins running in order to successfully exploit it."

"The worst part for many large organizations is that they may not even know they are vulnerable because Struts underpins a number of different systems," Liska added in emailed comments.