"Incredibly dangerous" RCE flaw found in Apache Struts 2

Experts indicate it could lead to a second Equifax-level data breach

Security researchers have discovered another critical security flaw in Apache Struts 2, with experts indicating that it could lead to a breach on a similar scale to the Equifax hack revealed last year.

Man Yue Mo, researcher from Semmle Security Research Team, discovered the remote code execution flaw, which is caused by insufficient validation of untrusted user data. Attackers can exploit the flaw simply by visiting a specific URL on the target server.

The vulnerability, which is designated CVE-2018-11776, affects "all supported versions of Apache Struts 2", and stems from the core of the software, meaning that all implementations are affected regardless of whether or not additional plugins have been enabled.

This latest exploit is particularly worrying due to the popularity and prevalence of Struts. The application development framework, which is used to build Java apps, is deployed extensively by Fortune 500 companies.

There are two criteria that an application must meet in order for it to be vulnerable to this threat, which Semmle's team detailed in a blog post. First, the 'alwaysSelectFullNamespace' flag in the Struts configuration must set to true, which "is automatically the case if your application uses the popular Struts Convention plugin".

Secondly, applications must use "actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. "/*"). This applies to actions and namespaces specified in the Struts configuration file (e.g. ), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin".

A similar remote code execution flaw in Struts (CVE-2017-5638) was discovered last year. It was this flaw that hackers exploited to steal more than 147 million people's personal details and financial history from Equifax - a breach that occurred months after the flaw was disclosed and patched.

"This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed," said Mo, the researcher who discovered the flaw, "opening up an attack vector to malicious hackers. On top of that, the weakness is related to the Struts OGNL language, which hackers are very familiar with, and are known to have been exploited in the past."

"On the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September."

Apache has issued patches to address the flaw, and all users of Struts are being urgently advised to update their systems as soon as possible. Semmle has warned that automated scanning tools will likely be available soon, allowing hackers to quickly scan for and exploit the vulnerability.

"Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit", said Semmle co-founder and vice president of QL engineering Pavel Avgustinov.

"A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It's crucially important to update affected systems immediately; to wait is to take an irresponsible risk."

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Wisconsin Republican Party allegedly loses $2.3 million to hackers
hacking

Wisconsin Republican Party allegedly loses $2.3 million to hackers

30 Oct 2020
What is DevSecOps and why is it important?
Security

What is DevSecOps and why is it important?

30 Oct 2020
Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle
Security

Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle

30 Oct 2020
Ryuk behind a third of all ransomware attacks in 2020
Security

Ryuk behind a third of all ransomware attacks in 2020

29 Oct 2020

Most Popular

Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
What is Neuralink?
Technology

What is Neuralink?

24 Oct 2020
Hackers demand ransom from therapy patients after clinic data breach
Security

Hackers demand ransom from therapy patients after clinic data breach

27 Oct 2020