PoC exploit for critical Apache Struts flaw found online

eBook: The DevOps Roadmap for Security - Tips and tools for bridging the security tribe into DevOps. Download →

The Apache Software Foundation revealed last week the existence of a critical Apache Struts flaw (CVE-2018-11776) similar to the one exploited in the Equifax breach and urged organizations and developers to upgrade their installations to versions 2.3.35 or 2.5.17.

The vulnerability was flagged by Semmle security researcher Man Yue Mo and the company joined ASF’s entreaties for speedy mitigation. “Previous disclosures of similarly critical vulnerabilities have resulted in exploits being published within a day, putting critical infrastructure and customer data at risk,” they noted.

CVE-2018-11776 PoC exploit

A PoC exploit is online

As expected, it didn’t take long for a Proof-of-Concept (PoC) exploit to pop up. Recorded Future researchers found it on GitHub, along with a Python script that allows for easy exploitation.

They also noted that there has been talks of exploitation on a number of Chinese and Russian underground forums.

“Apache Struts is a very popular Java framework and there are potentially hundreds of millions of vulnerable systems that could be exploited by this flaw. Most often, scanners will trick servers into returning a Java stack trace as a way of identifying potential Struts servers — other tricks include looking for certain files or directories,” they explained.

“Unlike last year’s Apache Struts exploit (CVE-2017-5638), which was at the center of the Equifax breach, this vulnerability appears easier to exploit because it does not require the Apache Struts installation to have any additional plugins running in order to successfully exploit it.”

Semmle CEO Oege de Moor declined to confirm whether the released PoC is question is a working PoC, but said that if it is, attackers now have a quicker way into the enterprise.

“There is always a time lag between the announcement of a patch and a company updating its software. There are many reasons why companies can’t update software like Struts immediately, as it is used for many business-critical operations. We aim to give companies a chance to stay safe by working with Apache Struts to make a coordinated disclosure,” he said.

“The Equifax breach happened not because the vulnerability wasn’t fixed, but because Equifax hadn’t yet updated Struts to the latest version. If this is a true working PoC, then any company who hasn’t had the time to update their software will now be at even greater risk.”

Fixes and mitigations

If you are one of those that can’t perform the update immediately, there are ways to mitigate the risk of exploitation.

“Verify that you have set (and always not forgot to set) namespace (if is applicable) for your all defined results in underlying configurations. Also verify that you have set (and always not forgot to set) value or action for all url tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace,” the ASF advises.

Palo Alto Networks’ Christopher Budd also warns about the increased risk of exploitation if the application uses the popular Struts Convention plugin.