Network Security, Patch/Configuration Management, Vulnerability Management

Security update issued after critical RCE vulnerable found in core of Apache Struts

Users of the open-source Apache Struts 2 web app development framework have been urged to update their software following today's disclosure of a critical remote code execution vulnerability that leaves commonly used endpoints prone to exploitation.

Discovered last April 10 by Man Yue Mo, security researcher at software analytics firm Semmle, the flaw is the result of improper validation of trusted user data in the very core of Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16. On June 25, the Apache Software Foundation published the code change that patches the problem, and followed that action up today with the release of fixed versions 2.3.35 and 2.5.17.

Applications that are vulnerable to the bug, designated CVE-2018-11776, can be exploited via at least two attack vectors. As the Apache Struts developers explain in their security bulletin: "It is possible to perform a RCE attack when namespace value isn't set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace."

Attackers can exploit this situation "by injecting their own namespace as a parameter in an HTTP request. The value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string," explains Semmle in its own blog post, referring to Object-Graph Navigation Language, which is used to customize Apache Struts' behavior. However, Semmle notes, applications are only vulnerable to such attacks under two conditions:

1. The alwaysSelectFullNamespace flag is set to true in the Struts configuration.

2. The Struts config file contains contains an <action ...> tag that does not specify the optional namespace attribute, or specifies a wildcard namespace.

Semmle further reports that CVE-2018-11776 is similar to CVE-2017-5638, a vulnerability that was exploited in the infamous Equifax data breach.

"Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit," said Pavel Avgustinov, Semmle co-founder and VP of QL engineering, in the company blog post. "A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It's crucially important to update affected systems immediately; to wait is to take an irresponsible risk."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.