New Critical Apache Struts Vulnerability Discovered

A new Apache Struts vulnerability has been discovered in the core functionality of Apache Struts. This is a critical flaw that allows remote code execution in certain configurations of the framework. The flaw could prove more serious than the one that was exploited in the Experian hack in 2017.

Apache Struts is an open source framework used in many Java-based web applications. It has been estimated that at least 65% of Fortune 500 companies use Struts to some extent in their web applications.

The flaw was identified by security researcher Man Yue Mo of Semmle and is being tracked as CVE-2018-11776. Semmle disclosed the flaw to the Apache Foundation and the timing of publication of the vulnerability coincides with the release of a patch to fix the vulnerability.

The potential for exploitation is limited by the fact that only certain configurations of Apache Struts are vulnerable to attack. While these configurations are not likely to be set by the majority of businesses, they are far from uncommon.

The Apache Foundation has released details of the configurations that are vulnerable:

  • When the alwaysSelectFullNamespace flag is set to true, which is the default configuration using the Struts Convention plug-in.
  • When the Struts configuration file of an application contains “an <action …> tag that does not specify the optional namespace attribute or specifies a wildcard namespace (e.g. “/*”)”.

Now that the vulnerability has been disclosed it is essential for all businesses to update vulnerable versions of Struts as a priority. The vulnerability is present in all supported versions of Apache Struts 2. Users of Struts 2.3 have been advised to upgrade to 2.3.35 and users of 2.5 should upgrade to 2.5.17.

As Semmle noted in an August 22 blog post, previous vulnerabilities in Apache Struts have resulted in exploits being developed within a day of the announcement being made of a vulnerability.

It is probable that targets can be easily identified and attacks are inevitable. As the Experian hack showed, the failure to address Struts vulnerabilities can prove incredibly damaging.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news