Critical Remote Code Execution Vulnerability Identified in Apache Struts

by Chris Brook on Wednesday August 22, 2018

The Apache Software Foundation released patches on Wednesday for a critical vulnerability in Apache Struts - the culprit behind last year's Equifax breach - that could allow attackers to remotely execute code.

Experts are cautioning any organizations running Struts 2 to update the framework immediately after a critical remote code execution vulnerability was found and patched in the open source software.

It was last March, of course, that another critical vulnerability in Struts, CVE-2017-5638, was disclosed. That vulnerability ultimately went unpatched by credit reporting agency Equifax and later that year led to the breach of 147.9 million consumers’ data, including driver's license numbers, thousands of ID images, phone numbers, email addresses, and Social Security numbers.

Versions 2.3 to 2.3.34 and 2.5 to 2.5.16 are affected by this week’s CVE, CVE-2018-11776, according to the Apache Software Foundation, the non-profit group that oversees the project and disclosed the vulnerability Wednesday.

The issue stems from insufficient validation of untrusted user data in Struts and can be exploited in two ways.

According to MITRE's CVE page, the vulnerability can be caused by “using results with no namespace and in same time, its upper action(s) have no or wildcard namespace.” The issue could also be caused “when using url tag which doesn't have value and action set and in same time, its upper action(s) have no or wildcard namespace."

Man Yue Mo, a researcher on Semmle’s security research team, discovered the issue. Semmle, a software engineering analytics firm that performs deep semantic code analysis to identify vulnerabilities in code, found another serious vulnerability in Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 last fall that also could have led to remote code execution.

Blog Post

Equifax Hacked Via Six Month Old Struts Vulnerability

READ NOW

While Mo initially discovered the vulnerability in April, code wasn't changed until June. Patches, reflected in version 2.3.35 and 2.5.17 of Struts, arrived Wednesday.

Semmle warned Wednesday that even if an application isn't currently vulnerable, an "inadvertent change to a Struts configuration file may render the application vulnerable in the future."

It's the first time the Apache Struts Team is urging developers to upgrade the framework since March when it updated the Commons FileUpload library to prevent remote code execution attacks and fixed an issue that could have exposed publicly accessible web sites from denial of service attacks.

The reverberations around last fall's Equifax breach were seemingly endless - and expensive, the company said costs could reach in excess of $600 million – it apparently did little to shift consumers' general perceptions around data breaches and identity theft.

Researchers evaluated consumers' mental models of credit bureaus in an academic paper (.PDF) published this month by the University of Michigan's School of Information. In a series of semi-structured interviews with 24 participants the academics found that many respondees failed to look into whether or not they were even affected by the breach. Even fewer took actions to prevent identity theft, like freezing their credit following the breach.

"The high portion of participants who were unaware of available protective measures suggests insufficient knowledge as a primary reason for inaction. Only 3 participants correctly described fraud alerts, and all of them learned it from being affected by previous data breaches and being offered the service as compensation. The remaining participants either said they did not know what fraud alerts were, or associated fraud alerts with alerts sent from banks and credit card companies when fraudulent activities occur," the paper's authors wrote.

Apache Software Foundation feather image via rbowen's Flickr photostream, Creative Commons

Tags: Vulnerabilities