Apache's latest SNAFU – Struts normal, all fscked up: Web app framework needs urgent patching

Another critical security hole has been found in Apache Struts 2, requiring an immediate update.

The vulnerability – CVE-2018-11776 – affects core code and allows miscreants to pull off remote code execution against vulnerable servers and websites. It affects all versions of Struts 2, the popular open-source framework for Java web apps.

The Apache Software Foundation has "urgently advised" anyone using Struts to update to the latest version immediately, noting that the last time a critical hole was found, the holes were being exploited in the wild just a day later. In other words, if you delay in patching, your organization will be compromised in short order via this bug, if you are running vulnerable systems.

It was that earlier flaw that led to a nightmare data breach from credit company Equifax after it failed to patch swiftly enough. The details of nearly 150 million people were exposed, costing the company more than $600m, so this is not something to be taken lightly.

The company that discovered the vulnerability – Semmle Security Research Team – warns that this latest one is actually worse that the one last year, which it also found. It has published a blog post with more information. Semmle found the hole back in April and reported it to Apache, which put out a patch in June that it has now pulled into formal updates (2.3.35 for those using version 2.3 and 2.5.17 for those on 2.5).

As mentioned, the vulnerability is in the core code and doesn't require additional plugins to work. It is caused by insufficient validation of untrusted user data in the core of the Struts framework, and can be exploited in several different ways.

Semmle says it has identified two different vectors but warns there may be others.

They are:

• The alwaysSelectFullNamespace flag is set to true in the Struts configuration – this is going to be a default with most configurations.
• Your application’s Struts configuration file contains an <action ...> tag that does not specify the optional namespace attribute, or specifies a wildcard namespace (e.g. '/*') – again a pretty common occurrence.

If your app does not meet these two conditions, according to Semmle "you are likely not vulnerable to the two attack vectors described below." However, it warns that new attack routes will likely appear soon – so update to the latest version.

Since it can be used remotely and due to the fact that Struts is typically used to create applications that are on the public internet, hackers are going to be especially focused on exploiting it so they can gain access to corporate networks.

And there are some big targets out there: Apache Struts is extremely common with most large corporations using it somewhere in their systems for web apps.

Semmle's VP of engineering, Pavel Avgustinov, had this to say about the hole on Wednesday this week: "Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit. A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk."

So that's a pretty solid "do not wait to patch" recommendation.

This is very far from the first time that big security holes have been found in Struts, leading some to recommend that people simply stop using it. ®

I’m lucky enough to have seen lots of non-public details on dozens of high-profile security breaches over the last 15 years. My one takeaway, not a joke - stop using Apache Struts.

100% serious.#DFIR

— Chad Loder (@chadloder) August 22, 2018