Apache Struts is an opened upwardly source framework for developing spider web applications inward the Java programming linguistic communication together with is widely used past times enterprises globally, including past times 65 pct of the Fortune 100 companies, similar Vodafone, Lockheed Martin, Virgin Atlantic, together with the IRS.
The vulnerability (CVE-2018-11776) resides inward the center of Apache Struts together with originates because of insufficient validation of user-provided untrusted inputs inward the center of the Struts framework nether surely configurations.
The newly flora Apache Struts exploit tin last triggered only past times visiting a peculiarly crafted URL on the affected spider web server, allowing attackers to execute malicious code together with eventually accept consummate command over the targeted server running the vulnerable application.
Struts2 Vulnerability - Are You Affected?
All applications that operate Apache Struts—supported versions (Struts 2.3 to Struts 2.3.34, together with Struts 2.5 to Struts 2.5.16) together with fifty-fifty about unsupported Apache Struts versions—are potentially vulnerable to this flaw, fifty-fifty when no additional plugins direct keep been enabled.
"This vulnerability affects commonly-used endpoints of Struts, which are probable to last exposed, opening upwardly an assault vector to malicious hackers," Yue Mo said.
Your Apache Struts implementation is vulnerable to the reported RCE flaw if it meets the next conditions:
- The alwaysSelectFullNamespace flag is laid to truthful inward the Struts configuration.
- Struts configuration file contains an "action" or "url" tag that does non specify the optional namespace attribute or specifies a wildcard namespace.
Here's Why You Should Take Apache Struts Exploit Seriously
Less than a twelvemonth ago, credit rating means Equifax exposed personal details of its 147 meg consumers due to their failure of patching a similar Apache Struts flaw that was disclosed before that twelvemonth (CVE-2017-5638).
The Equifax breach terms the companionship over $600 meg inward losses.
"Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, together with the flaw is slow to exploit," said Pavel Avgustinov, Co-founder & VP of QL Engineering at Semmle.
"A hacker tin uncovering their way inward inside minutes, together with exfiltrate information or phase farther attacks from the compromised system."
Patch Released for Critical Apache Struts Bug
We direct keep seen how previous disclosures of similar critical flaws inward Apache Struts direct keep resulted inward PoC exploits beingness published inside a day, together with exploitation of the vulnerability inward the wild, putting critical infrastructure also equally customers' information at risk.
Therefore, users together with administrators are strongly advised to upgrade their Apache Struts components to the latest versions, fifty-fifty if they believe their configuration is non vulnerable correct now.
This is non the start fourth dimension the Semmle Security Research Team has reported a critical RCE flaw inward Apache Struts. Less than a twelvemonth ago, the squad disclosed a similar remote code execution vulnerability (CVE-2017-9805) inward Apache Struts.
UPDATE — Apache Struts RCE Exploit PoC Released
