Users of the open-source Apache Struts 2 web app development framework have been urged to update their software following today’s disclosure of a critical remote code execution vulnerability that leaves commonly used endpoints prone to exploitation.
Discovered last April 10 by Man Yue Mo, security researcher at software analytics firm Semmle, the flaw is the result of improper validation of trusted user data in the very core of Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16. On June 25, the Apache Software Foundation published the code change that patches the problem, and followed that action up today with the release of fixed versions 2.3.35 and 2.5.17.
Applications that are vulnerable to the bug, designated CVE-2018-11776, can be exploited via at least two attack vectors. As the Apache Struts developers explain in their security bulletin: “It is possible to perform a RCE attack when
namespace value isn’t set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard
namespace. Same possibility when using
url tag which doesn’t have
action set and in same time, its upper action(s) configurations have no or wildcard
Attackers can exploit this situation “by injecting their own namespace as a parameter in an HTTP request. The value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string,” explains Semmle in its own blog post, referring to Object-Graph Navigation Language, which is used to customize Apache Struts’ behavior. However, Semmle notes, applications are only vulnerable to such attacks under two conditions:
1. The alwaysSelectFullNamespace flag is set to true in the Struts configuration.
2. The Struts config file contains contains an <action …> tag that does not specify the optional namespace attribute, or specifies a wildcard namespace.
Semmle further reports that CVE-2018-11776 is similar to CVE-2017-5638, a vulnerability that was exploited in the infamous Equifax data breach.
“Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,” said Pavel Avgustinov, Semmle co-founder and VP of QL engineering, in the company blog post. “A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.”