New Crucial Apache Struts Vulnerability Found

A new Apache Struts vulnerability has been found in the main functionality of Apache Struts. This is a serious vulnerability that lets distant code execution in certain configurations of the framework. The vulnerability might prove more serious than the one that was abused in the Experian hack in 2017.

Apache Struts is an open source framework utilized in several Java-based web applications. It has been approximated that at least 65% of Fortune 500 firms use Struts to some extent in their web applications.

The vulnerability was known by safety scientist Man Yue Mo of Semmle and is being followed as CVE-2018-11776. Semmle unveiled the vulnerability to the Apache Foundation and the timing of publication of the vulnerability matches with the release of a patch to repair the vulnerability.

The possibility for abuse is limited by the fact that only certain configurations of Apache Struts are susceptible to attack. While these configurations are not likely to be set by the bulk of companies, they are far from unusual.

The Apache Foundation has released particulars of the configurations that are susceptible:

  • When the alwaysSelectFullNamespace flag is set to true, which is the default configuration using the Struts Convention plug-in.
  • When the Struts configuration file of an application has “a <action …> tag that does not identify the optional namespace attribute or specifies a wildcard namespace (e.g. “/*”)”.

Now that the vulnerability has been unveiled it is necessary for all companies to update vulnerable versions of Struts as a priority. The vulnerability is present in all supported versions of Apache Struts 2. Users of Struts 2.3 have been advised to upgrade to 2.3.35 and users of 2.5 must upgrade to 2.5.17.

As Semmle noted in an August 22 blog post, earlier vulnerabilities in Apache Struts have led to exploits being developed within a day of the announcement being made of a vulnerability.

It is possible that targets can be easily identified and attacks are unavoidable. As the Experian hack indicated, the failure to tackle Struts weaknesses can prove extremely damaging.