Security researchers at LGTM (lgtm.com) have discovered a critical remote code execution vulnerability in the Apache Struts that could be exploited by a remote attacker to run malicious code on the vulnerable servers.
“Security researchers at lgtm.com have discovered a critical remote code execution vulnerability in Apache Struts — a popular open-source framework for developing web applications in the Java programming language.” states the security advisory published by lgtm.com.”All versions of Struts since 2008 are affected; all web applications using the framework’s popular REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency. This vulnerability has been addressed in Struts version 2.5.13.”
Successful exploitation of the vulnerability could allow an attacker to take full control of the affected server.
The vulnerability tracked as CVE-2017-9805 is related to the way Struts deserializes untrusted data, it affects all versions of Apache Struts since 2008, from Struts 2.5 to Struts 2.5.12.
“lgtm identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection.” states the analysis published by LGTM.
The experts warn that the Struts REST communication plugin fails to handle XML payloads while deserializing them, all web applications using this plugin are vulnerable to remote attacks.
The Apache Struts development team acknowledge the vulnerability and published a patch.
“This is critical, as all you have to do is use the REST plugin.” said the Apache Struts development team.
The impact of the flaw is severe because the Struts framework is being used by “an incredibly large number and variety of organisations.”
According to the expert that has discovered the vulnerability, it is easy to exploit, an attacker can trigger it by submitting a malicious XML code in a format.
“The Struts framework is used by an incredibly large number and variety of organizations. This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications. Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser. Organizations who use Struts should upgrade their components immediately.” said Man Yue Mo, the LGTM security researcher that discovered the vulnerability.
The lgtm security team has developed an exploit code for this vulnerability, of course, it will not disclose it in this phase, experts also added that they are not aware of the availability of the exploit iin the wild.
Administrators of vulnerable installs need to update their versions to Struts version 2.5.13.
Update 6 September 2017
— Odisseus (@_odisseus) September 6, 2017
(Security Affairs – Struts, CVE-2017-9805 RCE)