THREAT HORIZON – APACHE STRUTS 2

 In Threat Horizon

The following was circulated to our NetSure360° managed service customers on Saturday 25th August 2018.

Priority: High

Executive Summary: Apache Struts is a popular open-source framework for developing Java web applications. Apache have released details on an Apache Struts 2 critical Remote Code Execution (RCE) Vulnerability (CVE-2018-11776), that could allow remote attackers to run malicious code on the affected servers. This is considered particularly severe as a proof of concept attack has already been released publicly [5].

Remote Code Execution vulnerabilities are commonly considered to be the most severe type of security issue, as they allow attackers to take control of a vulnerable system. This can provide an attacker with an entry point into your corporate network and can put both infrastructure and data at risk.

The vulnerability exists due to inadequate validation of untrusted user data. This affects most default Struts configurations. Specifically, it affects configurations where both the ‘alwaysSelectFullNamespace’ flag is set to true, and the configuration contains an ‘action’ or ‘url’ tag that does not specify the optional namespace attribute or specifies a wildcard namespace (e.g. ‘/*’). Updating to the most recent Struts versions will solve this vulnerability. If an existing configuration does not meet these conditions, it should not be vulnerable, however updating to the most recent version is still advised.

Affected Products: The following software is affected:
• Struts 2.3 to Struts 2.3.34
• Struts 2.5 to Struts 2.5.16
Additionally, unsupported Struts versions may be affected by this vulnerability.

Implementations of the Apache Struts 2 framework should only be affected if they meet both the following conditions:
• The ‘alwaysSelectFullNamespace’ flag is set to true;
• The configuration file contains an ‘action’ or ‘url’ tag that does not specify the optional namespace attribute or specifies a wildcard namespace (e.g. ‘/*’)

Detect: ITC customers that have any Apache framework should be scanned to discover whether they use Struts, if they do not already know. If they do, it can be assumed that these will need updating to the latest version.

See Appendix A for the Snort detection rules.

Prevent:
Users of Struts 2.3 are strongly advised to upgrade to 2.3.35.
Users of Struts 2.5 are strongly advised to upgrade to 2.5.17.

React: Apply vendor provided patches and ensure the latest security updates are up to standard. Version notes can be found for the two updates below:
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.35
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.17

Sources:
[1] https://cwiki.apache.org/confluence/display/WW/S2-057
[2] https://semmle.com/news/apache-struts-CVE-2018-11776
[3] https://lgtm.com/blog/apache_struts_CVE-2018-11776
[4] https://thehackernews.com/2018/08/apache-struts-vulnerability.html
[5] https://github.com/jas502n/St2-057/blob/master/README.md

Author: Sophia Casimir

Recent Posts

Leave a Comment

Tel:
+44 (0) 20 7517 3900

 

Contact ITC Secure

If you have a question, request, comment or requirement, please send us an email now and we will get back to you by return