Expert discovered a Critical Remote Code Execution flaw in Apache Struts (CVE-2018-11776)

Maintainers of the Apache Struts 2 open source development framework has released security updates to address a critical remote code execution vulnerability.

Security updates released this week for the Apache Struts 2 open source development framework addressed a critical RCE tracked as CVE-2018-11776.

The vulnerability affects Struts versions from 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the framework.

The versions Struts 2.3.35 and 2.5.17 includes the security updates to address the CVE-2018-11776.

Struts developers also published a temporary workaround, but are recommending users to don’t use it and install the updates.

“Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action se” reads the security advisory published by Apache.

“Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set.”

Experts warn that it is possible to trigger the RCE flaw when namespace value isn’t set for a result defined in underlying xml configurations and at the same time, its upper action(s) configurations have no or wildcard namespace.

The flaw could be also exploited when using url tag which doesn’t have value and action set and at the same time, its upper action(s) configurations have no or wildcard namespace.

The vulnerability was reported by Man Yue Mo from the Semmle Security Research team on April 10, security updates were released on June 25 and on 22 August 2018 the new versions of Struts were released.

“This vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework. Due to the fact that this vulnerability affects the core of Struts, there exist multiple separate attack vectors. At the moment, we are aware of two such vectors” reads the technical analysis published bb Semmle.

“For your application to be vulnerable to the attack vectors described below, both of the following conditions should hold:

1. The alwaysSelectFullNamespace flag is set to true in the Struts configuration. Note that this is automatically the case if your application uses the popular Struts Convention plugin.
2. Your application’s Struts configuration file contains an <action …>tag that does not specify the optional namespace attribute, or specifies a wildcard namespace (e.g. “/*”)”

The experts from Semmle explained that the flaw affects commonly-used endpoints of Struts which are likely to be exposed.

“Attackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request. The value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string. OGNL (Object-Graph Navigation Language) is a powerful domain-specific language that is used to customize Apache Struts’ behavior,” the researcher explained.

Apache Struts flaw are very dangerous for organizations, one of them was the root cause of the massive Equifax breach that impacted over 140 million people.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Apache Struts, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]