Security researchers have discovered a PoC code and exploit available on GitHub that that can be used to trigger the security vulnerabilities in Apache Struts 2.
The Proof-of-concept exploit code was released last week, it allows to trigger the CVE-2019-0230 and CVE-2019-0233 vulnerabilities in Apache Struts 2 that are classified as remote code-execution and denial-of-service issues respectively. Both vulnerabilities were addressed by the Apache team in November 2019.
According to an advisory published by the Cybersecurity and Infrastructure Security Agency (CISA) the two flaws impact Apache Struts versions 2.0.0 through 2.5.20. The Apache Struts Security Team urges administrators to upgrade their installs to Struts 2.5.22.
Apache Struts 2 is an open-source, extensible framework for creating enterprise-ready Java web applications.
Unpatched installs could allow attackers to carry out malicious activities. In 2017, the credit reporting agency Equifax suffered a massive data breach, attackers exploited the CVE-2017-5638 Apache Struts vulnerability.
The CVE-2019-0230, for which a PoC exploit code is available only, could be triggered when a threat actor sends a malicious Object-Graph Navigation Language (OGNL) expression that can result in a remote code-execution in the context of the affected application.
Depending on the privileges associated with the affected application, an attacker could perform multiple malicious activities, such as install applications; modify or delete data, or create new admin accounts.
The DoS flaw, tracked as CVE-2019-0233, affects the write permissions of file directories that could lead to conditions ripe for a DoS attack.
According to the Apache Struts Wiki description of the bug, this flaw can be triggered with a file upload to a Strut’s Action that exposes the file.
“When a file upload is performed to an Action that exposes the file with a getter, an attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error.” reads the advisory. “It might also be possible to set the Servlet container’s temp directory to read only, such that subsequent upload actions will fail,”
The Apache security bulletin recommends to upgrade outdated installs and verify no unauthorized system modifications have occurred on the system.
(SecurityAffairs – hacking, Apache Struts)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.