The CVE-2018-11776 vulnerability affects Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and potentially unsupported versions of the popular Java framework.
“Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action se” reads the security advisory published by Apache.
“Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set.”
Experts warn that it is possible to trigger the RCE flaw when namespace value isn’t set for a result defined in underlying XML configurations and at the same time, its upper action(s) configurations have no or wildcard namespace.
The flaw could be also exploited when using URL tag which doesn’t have value and action set and at the same time, its upper action(s) configurations have no or wildcard namespace.
According to the experts from Semmle that discovered the flaw, the vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed.
“Attackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request. The value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string. OGNL (Object-Graph Navigation Language) is a powerful domain-specific language that is used to customize Apache Struts’ behavior,” the researcher explained.
An attacker could trigger the flaw by injecting his own namespace as a parameter in an HTTP request. The lack of proper validation for that parameter is the root of the problem.
Just two days after the Apache Software Foundation released their advisory a working proof-of-concept (PoC) was published online.
According to the experts from the threat intelligence firm Recorded Future, there is an intense activity related to the Struts flaw in a number of Chinese and Russian underground forums.
” Unfortunately, this makes the vulnerability trivial to exploit — in fact, proof-of-concept code has already been released, including a Python script that allows for easy exploitation. Recorded Future has also detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability.” reads the analysis published by Recorded Future.
“Unlike last year’s Apache Struts exploit (CVE-2017-5638), which was at the center of the Equifax breach, this vulnerability appears easier to exploit because it does not require the Apache Struts installation to have any additional plugins running in order to successfully exploit it.”
The number of potentially vulnerable application could be impressive.
“Apache Struts is a very popular Java framework and there are potentially hundreds of millions of vulnerable systems that could be exploited by this flaw. The challenge is in identifying how many systems are vulnerable.” continues Recorded Future.
“Because many of the servers running Apache Struts are backend application servers, they are not always easily identified, even by the system owners.”
The principal problem is that there are many reasons because Struts installs cannot be immediately updated especially in Critical systems.