Apache Software Foundation patches critical remote code execution vulnerability in Apache Struts 2
A critical remote code execution vulnerability in Apache Struts 2 affects a wide range of applications. Apache Struts 2 is a popular open-source framework for developing web applications in the Java programming language. The vulnerability affects applications even if no additional plugins are enabled. This vulnerability could lead to network compromise. The vulnerability ( CVE-2018-11776 ) was patched by the Apache Software Foundation in August 22nd and affects all supported versions of Struts 2. Developers using of Struts 2.3 should upgrade to 2.3.35 as soon as possible. Developers using Struts 2.5 should immediately upgrade to 2.5.17.
This vulnerability affects the commonly used endpoints of Struts, which are likely to be exposed, opening up security hole for hackers. The vulnerability is related to the Struts Object-Graph Navigation Language or OGNL, which hackers are are familiar with, and have been exploited in the past. OGNL is a powerful, domain-specific language that is used to customize Struts' behavior. According to researchers at Semmle Security, this vulnerability may be more dangerous than the Struts RCE vulnerability that allowed hackers to steal the personal data of 147 million consumers from Equifax.
The root cause is a lack of input validation on the URL passed to the Struts framework. The previous Struts vulnerabilities were all in code within a single functional area of the Struts code. This enabled developers who were familiar with that functional area to quickly identify and resolve issues without introducing new behaviors. CVE-2018-11776 operates at a far deeper level within the code, which requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. Hackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request. The value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string.
Researchers have identified at least two different ways the vulnerability can be exploited. In the first method, three Struts result types are unsafe when used without a namespace, as defined in either in the Struts configuration file or in Java code if the Struts Convention plugin is used. These redirects the visitor to a different URL. This has been dubbed action chaining, which is a method to chain multiple actions into a defined sequence or workflow. The result of action chaining is that it renders the current request parameters as a form which immediately submits a postback to the specified destination chain. The second method take advantage of the fact that Struts supports page templates inside "result" tags in the Struts configuration. Using URL tags in such pages is potentially unsafe if the template is referred to from an "action" tag that does not provide a namespace attribute. Applications are vulnerable if the template contains "s:url " tags without an action or value attribute.
The Apache Software Foundation strongly advises developers to upgrade their Apache Struts even if their application is currently not vulnerable. A simple, inadvertent change to a Struts configuration file may cause the applications to become vulnerable in the future. Critical remote code execution vulnerabilities like this one and the one that affected Equifax are dangerous since Struts is used in publicly accessible, customer facing websites and the flaw is easy to exploit. Hackers can find their way in within minutes, and steal data or set up more attacks from the compromised system.