Recently, a remote code execution (RCE) vulnerability in the well-known Apache Struts web application framework is found to allow attackers to take control of a vulnerable system.
Apache Struts is an open-source web application framework for developing Java EE web applications. Apache Struts is widely used by enterprises all around the world, with estimates suggesting that in 2017 at least 65 percent of the Fortune 100 companies relied on web applications build with the Apache Struts framework. Vodafone, Lockheed Martin Virgin Atlantic and IRS (Internal RevenueService) are also its users.
The vulnerability (CVE-2018-11776) is located in the core of Apache Struts. It comes from some configurations that the untrusted input provided by users in the core of the framework cannot be fully verified.
The vulnerability can be triggered by accessing a malicious URL on an affected web server, allowing attackers to execute malicious code. Eventually, attackers can control the target server running the vulnerable application.
The affection of CVE-2018-11776
This new remote code execution vulnerability affects all supported versions of Apache Struts 2. A patched version has been released today. Users of Struts 2.3 are strongly advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. The vulnerability is located in the core of Apache Struts. All applications that use Struts are potentially vulnerable, even when no additional plugins have been enabled.
Either one of the following conditions may result in remote code execution:
1. The alwaysSelectFullNamespace flag is set to true in the Struts configuration. Note that this is automatically the case if your application uses the popular Struts Convention plugin.
2. Your application uses actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. “/*”). This applies to actions and namespaces specified in the Struts configuration file (e.g. ), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin.
Several months ago, Equifax, one of the three largest credit agencies (known as the “Big Three”) disclosed that records containing personal details of 147 million consumers were breached, because they had failed to patch a similar Apache Struts vulnerability that was published earlier that year (CVE-2017-5638).
According to Reuters, Equifax estimates that the total cost of the breach amounts to “well over $600 million.
Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit. A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.
Pavel Avgustinov / Co-founder & VP of QL Engineering at Semmle
Apache Struts has fixed this vulnerability by releasing Struts versions 2.3.35 and 2.5.17. We strongly recommend that companies and developers using Apache Struts to upgrade their Struts components as soon as possible.