Earlier this week the Apache Software Foundation made available patches for Apache Struts (a web application framework (defined)) bringing the applications active development branches to version 2.3.35 and 2.5.17. These versions addresses a remote code execution vulnerability (defined: the ability for an attacker to remotely carry out any action of their choice on your device) known as CVE-2018-11776. This vulnerability was responsibly disclosed (defined) by the security researcher; Man Yue Mo.
Why should this vulnerability be considered important?
A data breach at the credit rating agency Equifax last year occurred in part due to their lack of patching their affected web servers. The vulnerability resolved this week can be exploited by an attacker simply by visiting specifically crafted URL (defined) on the affected web server (defined). Once exploited the server can be completely under the attacker’s control.
Typically within days of a vulnerability being disclosed; attackers begin to target and exploit it. Compromised are web servers (which are already public facing and can be located using Shodan) can be used as an entry point into other areas of your corporate network. Any application making use of the Struts framework is vulnerable regardless if those applications use plugins.
How to tell if your installation of Apache Struts is vulnerable?
Your Apache Struts is vulnerable if both of the conditions listed below are true (my thanks to this Semmle blog post for this information):
- The alwaysSelectFullNamespace flag is set to true in the Struts configuration. Note that this is automatically the case if your application uses the popular Struts Convention plugin.
- Your application uses actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. “/*”). This applies to actions and namespaces specified in the Struts configuration file (e.g. <action namespace=”main”>), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin.