Researchers at Semmle have disclosed a critical vulnerability in Apache Struts, similar to the vulnerability at the root of the Equifax breach. Our advice? Update now!
Background
Semmle researchers discovered and disclosed a remote code execution (RCE) vulnerability (CVE-2018-11776) in servers running Apache Struts that meet specific configuration requirements. According to Semmle, those requirements are:
- The alwaysSelectFullNamespace flag is set to true in the Struts configuration. (Note: this is automatically the case if your application uses the popular Struts Convention plugin.)
- The application’s Struts configuration file contains an <action ...> tag that does not specify the optional namespace attribute or specifies a wildcard namespace (e.g., “/*”).
This vulnerability also requires the version of Apache Struts to be Struts 2.3–Struts 2.3.34 or Struts 2.5–Struts 2.5.16. Upgrading to the latest version provided by Apache should mitigate your risk.
Impact assessment
If the above configuration requirements are met and your version of Apache Struts has not been updated to the recommended versions, then an attacker could take full control of the web application using Apache Struts.
Equifax saw a similar Apache Struts vulnerability (CVE-2017-5638) used in what has been called the most expensive data breach in history. Many web-based RCE vulnerabilities like this one are researched quickly, with publicly available exploits appearing in less than a few days after disclosure.
Vulnerability details
In Apache Struts, when the <action ...> tag doesn’t have a corresponding namespace attribute, the default redirectAction result type will pass unsanitized strings in an HTML request as commands.
In addition, <s:url …> tags without a preset action or value attribute can be manipulated by having malicious code injected into the missing attributes, which then get passed to Struts as executed commands.
Urgently required actions
Upgrade to Apache Struts version 2.3.35 or 2.5.17 as soon as possible.
Apache also states that the following configuration change can mitigate the vulnerability (this should be a temporary workaround until an organization can upgrade):
- Verify that you have a set namespace (if applicable) for your ‘all’ defined results in underlying configurations.
- Verify that you have a set value or action for all ‘url’ tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace.
Researchers at Semmle have suggested that other methods of attack could exist, and these configuration requirements may not prevent attack.
Identifying affected systems
The following active plugin is available for scanning. Tenable.io® Container Security can detect containers running versions of Apache Struts vulnerable to CVE-2018-11776.
Plugin ID | Description |
Apache Struts CVE-2018-11776 Results With No Namespace Possible Remote Code Execution (S2-057) |
Get more information
- Semmle's public disclosure
- Researcher Man Yue Mo's technical explanation of the vulnerability
- Apache's advisory
- NVD entry for CVE-2018-11776
Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Start your free trial of Tenable.io Container Security now!