A critical remote code execution vulnerability (CVE-2018-11776) in Apache Struts, the popular open source framework for developing Java-based web apps, could allow remote attackers to run malicious code on the affected servers.
The vulnerability was discovered and reported by Semmle security researcher Man Yue Mo, and the company urges organizations and developers who use Struts to upgrade their Struts components immediately.
“Previous disclosures of similarly critical vulnerabilities have resulted in exploits being published within a day, putting critical infrastructure and customer data at risk,” they noted. (The infamous Equifax breach happened because of a similar flaw and lax patching.)
The Apache Software Foundation says that Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 are affected, and that the unsupported versions of the framework may be also affected.
As noted by Tenable researchers, the vulnerability can be exploited only if the alwaysSelectFullNamespace flag is set to true in the Struts configuration and if the application’s Struts configuration file contains an
<action ...> tag that does not specify the optional namespace attribute or specifies a wildcard namespace (e.g., “/*”).
The Foundation advises users to upgrade to (the fixed) Apache Struts version 2.3.35 or 2.5.17 as soon as possible, but it does offer some temporary mitigation advice to those that can’t get patching quickly: “Verify that you have set (and always not forgot to set) namespace (if is applicable) for your all defined results in underlying configurations. Also verify that you have set (and always not forgot to set) value or action for all url tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace.”
Upgrading is the preferred action, though, as even if an application is currently not vulnerable, an inadvertent change to a Struts configuration file may render the application vulnerable in the future.
The risk is high
Apache Struts is widely used by enterprises globally.
“Struts applications are often facing the public internet, and in most situations an attacker does not require any existing privileges to a vulnerable Struts application in order to launch an attack against it. To make matters worse, it is very easy for an attacker to assess whether an application is vulnerable, and it is likely that dedicated scanning tools will be available soon. Such tools will enable a malicious actor to quickly and automatically identify vulnerable applications,” Semmle researchers explained the risk. “A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system.”
Tim Mackey, technology evangelist at Synopsys, noted that in identifying CVE-2018-11776, the researcher looked at prior remote code execution vulnerabilities within Struts to determine if there was a coding pattern which lead to them.
“In the case of CVE-2018-11776, the root cause was a lack of input validation on the URL passed to the Struts framework. Unlike CVE-2018-11776, the prior vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors. CVE-2018-11776 operates at a far deeper level within the code which in turns requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. It is this level of understanding which is of greatest concern – and this concern relates to any library framework,” he explained.
“Validating the input to a function requires a clear definition of what is acceptable. It equally requires that any functions available for public use document how they use the data passed to them. Absent the contract such definitions and documentation form, it’s difficult to determine if the code is operating correctly or not. This contract becomes critical when patches to libraries are issued as its unrealistic to assume that all patches are free from behavioral changes. Modern software is increasingly complex and identifying how data passes through it should be a priority for all software development teams.”