Potential Apache Struts 2 RCE flaw fixed, PoCs released

Have you already updated your Apache Struts 2 to version 2.5.22, released in November 2019? You might want to, and quickly, as information about a potential RCE vulnerability (CVE-2019-0230) and PoC exploits for it have been published.

CVE-2019-0230

About the vulnerability (CVE-2019-0230)

“CVE-2019-0230 is a forced double Object-Graph Navigation Language (OGNL) evaluation vulnerability that occurs when Struts tries to perform an evaluation of raw user input inside of tag attributes. An attacker could exploit this vulnerability by injecting malicious OGNL expressions into an attribute used within an OGNL expression,” Tenable researchers explained.

It’s rated as important (i.e., not critical) by the Apache Struts Security Team, but could allow attackers to achieve remote code execution.

“There is still not enough information about the potential impact of this vulnerability under real world conditions, but caution is certainly warranted regarding this flaw,” the researchers noted, especially because PoCs for it have been popping up on GitHub.

Whether they will be useful or not remains to be seen, though.

“It’s important to note that because each Struts application is unique, the actual payload needed to exploit it will differ from application to application. Additionally, the application would need to be developed in such a way that it allows an attacker to supply unvalidated input into an attribute used inside of an OGNL expression,” the researchers explained.

CVE-2019-0230 and CVE-2019-0233 (a DoS bug) affect Apache Struts versions 2.0.0 to 2.5.20. They’ve both been fixed in version 2.5.22, to which admins are urged to upgrade (if they haven’t already).

“We continue to urge developers building upon Struts 2 to not use %{…} syntax referencing unvalidated user modifiable input in tag attributes, since this is the ultimate fix for this class of vulnerabilities,” René Gielen, Struts Project Management Committee chair, added.

About Apache Struts 2

Apache Struts 2 is a widely-used open source web application framework for developing Java EE web applications.

A few years ago, analyst Fintan Ryan at RedMonk estimated that nearly 65% of Fortune 100 firms actively use web applications built with the Apache Struts framework.

A security hole (CVE-2017-563) in Apache Struts 2 is how hackers managed to get in to execute the infamous 2017 Equifax data breach, after the company’s site administrators failed to quickly implement the security update that fixed it.

Other critical vulnerabilities affecting the solution have since been unearthed and PoC exploits released for them (e.g., CVE-2018-11776).

CVE-2017-5638 has recently been listed by the US Cybersecurity and Infrastructure Security Agency as one of the ten most often exploited flaws between 2016 and 2019.

RiskSense also recently pointed out that WordPress and Apache Struts had the most weaponized vulnerabilities.

“Even if best application development practices are used, framework vulnerabilities can expose organizations to security breaches. Meanwhile, upgrading frameworks can be risky because changes can affect the behavior, appearance, or inherent security of applications,” RiskSense CEO Srinivas Mukkamala noted.

“As a result, framework vulnerabilities represent one of the most important, yet poorly understood and often neglected elements of an organization’s attack surface.”

Don't miss