Malware, Network Security, Patch/Configuration Management, Vulnerability Management

Proof-of-concept exploit published shortly after disclosure of critical Apache Struts 2 flaw

Two days after the Apache Software Foundation released a software update to address a critical remote code execution vulnerability in its Apache Struts 2 web app development framework, researchers from Recorded Future revealed that they discovered a proof-of-concept exploit on GitHub.

They also uncovered a Python script that helps allow for easy exploitation, as well as chatter regarding the bug's exploitation in Chinese and Russian underground forums.

The flaw, CVE-2018-11776, is the result of improper validation of trusted user data in the very core of Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16. Attackers can exploit this "by injecting their own namespace as a parameter in an HTTP request, explained an Aug. 22 blog post by software analytics firm Semmle, whose researcher discovered the problem.

“Semmle will not confirm whether the reported PoC that has been published is a working PoC. If it is, attackers now have a quicker way into the enterprise," said Semmle CEO Oege de Moor, in response to the proof-of-concept report.

Allan Liska, senior security architect at Recorded Future, warned in a company blog post last week that the vulnerability appears to be easier to exploit than the Struts flaw used in the 2017 Equifax breach "because it does not require the Apache Struts installation to have any additional plug-ins running in order to successfully exploit it."

"The worst part for many large organizations is that they may not even know they are vulnerable because Struts underpins a number of different systems," Liska added in emailed comments.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.