There is functional proof-of-concept code in the wild targeting a new Apache Struts remote code execution (RCE) vulnerability. Researchers from Semmle, a cybersecurity firm, discovered the flaw and revealed it in a blog post on August 22. Less than 36 hours later, a proof-of-concept was found circulating in the wild—making it crucial for organizations to patch or mitigate the vulnerability as soon as possible.
What is the Apache Struts vulnerability?
The flaw (CVE-2018-11776) is the result of insufficient validation of untrusted user data in the core Struts framework. Under certain configuration conditions, a vulnerable system will evaluate a malicious OGNL (object-graph navigation language) statement within a crafted URL that points to a Struts “action” resource.
Certain configurations must be set for this exploit to work on a target system. If the alwaysSelectFullNamespace flag is set to “True” in the Struts configuration, and the Struts configuration file contains an “action” or “URL” tag that does not specify the optional namespace attribute or specifies a wildcard namespace, then the system is vulnerable.
This is a remote code execution attack. A successful exploit could provide attackers complete control of the target system—including the ability to execute arbitrary code remotely or upload malicious files to the target system, such as webshells or malware.
Take Action to Protect against Apache Struts RCE vulnerability
All systems running Struts 2.3 to 2.3.34 or Struts 2.5 to 2.5.16 are potentially vulnerable to this exploit. Other unsupported versions of Apache Struts may also be affected.
Organizations should take immediate action to mitigate this threat. The nature of this vulnerability combined with the already released exploit/proof-of-concept currently in the wild makes it likely that attackers will be able to wrap the exploit into existing automated attack and exploitation frameworks in a very short timeframe.
According to Semmle, all applications that use Struts are potentially vulnerable to exploit—even if no additional plugins have been enabled. Alert Logic suggests that companies using Apache Struts update their builds immediately. Struts 2.3 should be updated to version 2.3.35 or later, and Struts 2.5 should be upgraded to version 2.5.17 or later.
Alert Logic also recommends setting the namespace (if applicable) for all defined results in underlying configurations, and that you set a value or action for all URL tags in your JSPs. You should never forget to take these actions. This is an Apache Struts security best practice that should consistently be followed for all Apache Struts implementations.
Alert Logic Threat Manager, our IDS System and WAF as a service are able to detect and/or block this current threat. Alert Logic researchers will continue to investigate the issue and update our coverage and guidance. Alert Logic customers should refer to the Alert Logic Knowledge Base for the most current information.