A new Apache Struts weakness has been found in the main functionality of Apache Struts. This is a serious fault that lets distant code execution in certain configurations of the framework. The fault might prove graver than the one that was abused in the Experian hack in 2017.
Apache Struts is an open source framework utilized in several Java-based web applications. It has been approximated that at least 65% of Fortune 500 firms use Struts to some extent in their web applications.
The fault was known by safety scientist Man Yue Mo of Semmle and is being followed as CVE-2018-11776. Semmle unveiled the fault to the Apache Foundation and the timing of publication of the weakness matches with the release of a patch to repair the weakness.
The possibility for abuse is limited by the fact that only certain configurations of Apache Struts are susceptible to attack. While these configurations are not likely to be set by the bulk of companies, they are far from unusual.
The Apache Foundation has released particulars of the configurations that are susceptible:
- When the alwaysSelectFullNamespace flag is set to true, which is the default configuration using the Struts Convention plug-in.
- When the Struts configuration file of an application has “a <action …> tag that does not identify the optional namespace attribute or specifies a wildcard namespace (e.g. “/*”)”.
Now that the weakness has been unveiled it is necessary for all companies to update vulnerable versions of Struts as a priority. The vulnerability is present in all supported versions of Apache Struts 2. Users of Struts 2.3 have been advised to upgrade to 2.3.35 and users of 2.5 must upgrade to 2.5.17.
As Semmle noted in an August 22 blog post, earlier weaknesses in Apache Struts have led to exploits being developed within a day of the announcement being made of a weakness.
It is possible that targets can be easily recognized and attacks are unavoidable. As the Experian hack indicated, the failure to tackle Struts weaknesses can prove extremely damaging.