A critical vulnerability in Apache Struts, a popular open source framework for developing web applications, opens any server running an app built using it to remote attackers.
It can be exploited easily, by sending a specially crafted web request to the application and, according to SANS ISC handler Adrien de Beaupre, a working exploit has already been spotted.
About the vulnerability
The flaw (CVE-2017-9805) was spotted during a static code analysis by researchers with software code exploration provider Semmle.
“This particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,” Bas van Schaik, a product manager at the company, explained. More technical details can be found here.
All versions of Struts since 2008 are affected.
The team notified the Apache Software Foundation about it in July, and on Tuesday the foundation pushed out a new version of Struts (v2.5.13) that fixes it. The researchers have yet to publish PoC code, but someone else apparently already created and released a working exploit.
“The Struts framework is used by an incredibly large number and variety of organizations. This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications. Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser. Organizations who use Struts should upgrade their components immediately,” warns Man Yue Mo, one of the security researchers who discovered the vulnerability.
It is estimated that around 65% of all Fortune 100 companies are actively using web applications built with the Struts framework.
“The problem with deserialization vulnerabilities is that, application code often relies precisely on the unsafe deserialization routines being exploited — therefore, anyone who is affected by this vulnerability needs to go beyond merely applying a patch and restarting the service, since the patch will make changes to how the underlying application will treat incoming data,” Tod Beardsley, Research Director at Rapid7, pointed out.
“Deserialization of untrusted user input (also known as CWE-502) is a somewhat well-known vulnerability pattern, and I would expect a public proof-of-concept exploit to surface well before most enterprises have committed to a patch, given the complications that this patch introduces. Organisations that rely on Struts to power their websites need to start that application-level testing now so as to avoid becoming the next victims in a wave of automated attacks that leverage this vulnerability.”
This is definitely one instance when ASAP patching is of critical importance.
De Beaupre says that disabling access to the REST API used by Struts could be a temporary risk mitigation step until the organization is ready to upgrade to the fixed version.