New Apache Struts Vulnerability Could Allow for Remote Code Execution

Ryan Seguin

Updated August 23: A working proof of concept (PoC) has been discovered and verified on Github by Tenable’s research team. In addition, there are indications that attackers are already probing for vulnerable Apache Struts instances. Patch now!

Background

Semmle researchers discovered and disclosed a remote code execution (RCE) vulnerability (CVE-2018-11776) in servers running Apache Struts that meet specific configuration requirements. According to Semmle, those requirements are:

  • The alwaysSelectFullNamespace flag is set to true in the Struts configuration. (Note: this is automatically the case if your application uses the popular Struts Convention plugin.)
  • The application’s Struts configuration file contains an <action ...> tag that does not specify the optional namespace attribute or specifies a wildcard namespace (e.g., “/*”).

This vulnerability also requires the version of Apache Struts to be Struts 2.3–Struts 2.3.34 or Struts 2.5–Struts 2.5.16. Upgrading to the latest version provided by Apache should mitigate your risk.

Impact assessment

If the above configuration requirements are met and your version of Apache Struts has not been updated to the recommended versions, then an attacker could take full control of the web application using Apache Struts.

Equifax saw a similar Apache Struts vulnerability (CVE-2017-5638) used in what has been called the most expensive data breach in history. Many web-based RCE vulnerabilities like this one are researched quickly, with publicly available exploits appearing in less than a few days after disclosure. In fact, our recent Attacker's Advantage report found that 34 percent of the most prevalent vulnerabilities had an exploit available on the same day they were disclosed.

Vulnerability details

In Apache Struts, when the <action ...> tag doesn’t have a corresponding namespace attribute, the default redirectAction result type will pass unsanitized strings in an HTML request as commands.

In addition, <s:url …> tags without a preset action or value attribute can be manipulated by having malicious code injected into the missing attributes, which then get passed to Struts as executed commands.

Urgently required actions

Upgrade to Apache Struts version 2.3.35 or 2.5.17 as soon as possible.

Apache also states that the following configuration change can mitigate the vulnerability (this should be a temporary workaround until an organization can upgrade):

  • Verify that you have a set namespace (if applicable) for your ‘all’ defined results in underlying configurations.
  • Verify that you have a set value or action for all ‘url’ tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace.

 Researchers at Semmle have suggested that other methods of attack could exist, and these configuration requirements may not prevent attack.

Identifying affected systems (Updated August 24)

Unauthenticated Remote Check

Plugin 112064 is a remote plugin which will attempt to exploit the vulnerability and send an ICMP echo (ping) request from the remote host back to the scanner host to verify a successful exploit.

Enabling a proper scan test requires the following steps:

  • First, enable the scanner to “perform thorough tests” under the Assessment -> General Settings.
  • Second, enable a Web Application Scan in Assessment Settings. Be sure to configure the scan with the appropriate location to start crawling the web application. In the Web Applications section of Assessment Settings, define the “Start crawling from” location for the Web Crawler as highlighted in the image below.
  • Finally, for highly segmented and compartmentalized networks, it is important for the target to have the ability to ping the scanner’s direct IP. This is especially important in cloud environments where VPCs, subnets, and containerized applications can interfere with the communication the plugin sends from the target to the scanner to verify that the blind remote code execution vulnerability exists.

Note: This plugin will not work from Tenable.io scanner pools due to the nature of the vulnerability. Customers are encouraged to run the scan with their own on-prem scanners.

Authenticated Local Check

Plugin ID 112036 is available for both Windows (using SMB credentials) and Unix (using SSH credentials). Note that this plugin only runs in scans where the Accuracy setting is set to Show potential false alarms. Since the plugin relies only on the version number identified for a Struts application, this plugin is unable to identify if a workaround is in place which mitigates the vulnerability. For this reason, the Accuracy setting must be set to Show Potential false alarms.

Tenable.io Container Security can detect containers running versions of Apache Struts that are vulnerable to CVE-2018-11776.

Important Note: Apache suggests that older unsupported versions of Struts may be vulnerable as well, and recommends upgrading to the latest versions to be secure.

Plugin ID

Description

112036

Apache Struts CVE-2018-11776 Results With No Namespace Possible Remote Code Execution (S2-057)

112064

Apache Struts CVE-2018-11776 Results With No Namespace Possible Remote Code Execution (S2-057) (Remote Check)

Example plugin output for an affected system can be seen below:

Get more information

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Start your free trial of Tenable.io Container Security now!

Read more >

Published on Aug 22, 2018

People also viewed

Channel Sales Engineer

Santiago Santiago Chile Santiago, Chile Sales Engineering Sales
Your Role:The Channel Sales Engineer will support and will be working with production, engineering, and research and development, as well as external sales firms to determine how Tenable products and services could be designed or modified to best ...

Engineering Manager - UI

Los Angeles California United States West Jefferson Boulevard, Playa Vista, Los Angeles, California, United States, 90066 Cloud Platforms Research & Development
Your Role:Tenable is looking for an experienced UI Engineering manager, who would be responsible for leading a team of world class engineers.  This person would be expected to help grow and mentor experience engineers. Background in working with m...

Engineering Manager - UI

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Cloud Platforms Research & Development
Your Role:Tenable is looking for an experienced UI Engineering manager, who would be responsible for leading a team of world class engineers.  This person would be expected to help grow and mentor experience engineers. Background in working with m...

Engineering Manager - UI

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 20146 Cloud Platforms Research & Development
Your Role:Tenable is looking for an experienced UI Engineering manager, who would be responsible for leading a team of world class engineers.  This person would be expected to help grow and mentor experience engineers. Background in working with m...

Commercial Territory Manager

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 20146 Sales Sales
Your Role:The Commercial Territory Manager will meet and exceed quarterly sales quota by developing new opportunities within specific geographical territory.  Researching and identifying potential accounts; outbound cold calling to soliciting new ...

Recruiter - UK

Uxbridge United Kingdom Furzeground Way , Stockley Park, Uxbridge, United Kingdom, UB11 1EZ Human Resources Human Resources
Your Role:Tenable is seeking a talented Recruiter who will source, screen and ultimately close exceptional sales, marketing and professional services talent. You’ll partner with Tenable’s Sales leadership to create and maintain a talent pipeline, ...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.