Apache Struts Vulnerability POC Code Found on GitHub

August 24, 2018 • Allan Liska

Insikt Group

On August 22, 2018, the Apache Software Foundation reported a new vulnerability in the Apache Struts framework (CVE-2018-11776) that could allow an attacker to execute remote code and possibly gain access to a targeted system. The flaw exists because Apache Struts does not perform proper validation of input data. This is a flaw in the Struts framework core, which means all Struts installations are potentially vulnerable.

The vulnerability exists in Struts when a namespace value is not set. The namespace value is how Struts separates the configuration of action into logical modules. The Apache Software Foundation issued a statement explaining the vulnerability as follows:

It is possible to perform a RCE attack when namespace value isn’t set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.

In practical terms, this means an attacker can exploit the flaw by adding their own namespace to the URL as part of an HTTP request. Unfortunately, this makes the vulnerability trivial to exploit — in fact, proof-of-concept code has already been released, including a Python script that allows for easy exploitation. Recorded Future has also detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability.

Unlike last year’s Apache Struts exploit (CVE-2017-5638), which was at the center of the Equifax breach, this vulnerability appears easier to exploit because it does not require the Apache Struts installation to have any additional plugins running in order to successfully exploit it.

Apache Struts is a very popular Java framework and there are potentially hundreds of millions of vulnerable systems that could be exploited by this flaw. The challenge is in identifying how many systems are vulnerable. Because many of the servers running Apache Struts are backend application servers, they are not always easily identified, even by the system owners. That does not mean the servers are not publicly accessible by determined attackers. Most often, scanners will trick servers into returning a Java stack trace as a way of identifying potential Struts servers — other tricks include looking for certain files or directories.

There are two ways of protecting against this vulnerability. The recommended path is to upgrade to the latest version of Apache Struts, 2.3.35 or 2.5.17. You can also protect your installation, especially if upgrading is an onerous process, by ensuring that the namespace is always set within your Apache Struts framework. However, if a single instance is missed, that may lead to an attacker gaining access to the server.