Remote Code Execution Vulnerability in Apache Struts 2 CVE 2018-11776

Overview

The Apache Foundation has confirmed the findings of an independent security research group that a critical remote code execution flaw exists in the popular Struts 2 open source framework. Designated CVE 2018-11776, this vulnerability is located in the core of Apache Struts 2 and impacts all supported versions of Struts 2.

Waratek Enterprise customers are protected against RCE attacks as a core feature.

Waratek Patch customers will receive a virtual patch to specifically address CVE 2018-11776.

Non-Waratek customers should upgrade to Apache Struts version 2.3.35 or 2.5.17 as soon as possible. However, users who have highly customized code may find it difficult to upgrade and may be vulnerable to breaking the functionality of their applications

Details

Struts 2 is one of the most widely used web application frameworks with a history of vulnerabilities to remote code execution attacks. Malicious attackers have been able to use automated scanners to identify and exploit previous flaws within hours of an announced CVE, including CVE 2017-5638, also known as the Equifax flaw.

The new vulnerability was discovered by Security Researcher Man Yue Mo of Semmle.

"This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers. On top of that, the weakness is related to the Struts OGNL language, which hackers are very familiar with, and are known to have been exploited in the past. On the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September."

CVE 2018-11776 is linked to insufficient validation of untrusted user data in the core of the Struts framework, resulting in multiple attack vectors.

An application is believed to be vulnerable if the following conditions exist:

1. The alwaysSelectFullNamespace flag is set to true in the Struts configuration. This is default setting if an application uses the popular Struts Convention plugin.
2. An application's Struts configuration file contains an <action ...> tag that does not specify the optional namespace attribute, or specifies a wildcard namespace (e.g. "/*")

Application configurations that do not meet these two conditions, are likely not vulnerable to the current attack vectors. However, Apache and Semmle acknowledge that new attack vectors may be discovered.

Apache Struts, Struts, Apache, the Apache feather logo, and the Apache Struts project logos are trademarks of The Apache Software Foundation.