IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

"Incredibly dangerous" RCE flaw found in Apache Struts 2

Experts indicate it could lead to a second Equifax-level data breach

Security researchers have discovered another critical security flaw in Apache Struts 2, with experts indicating that it could lead to a breach on a similar scale to the Equifax hack revealed last year.

Man Yue Mo, researcher from Semmle Security Research Team, discovered the remote code execution flaw, which is caused by insufficient validation of untrusted user data. Attackers can exploit the flaw simply by visiting a specific URL on the target server.

The vulnerability, which is designated CVE-2018-11776, affects "all supported versions of Apache Struts 2", and stems from the core of the software, meaning that all implementations are affected regardless of whether or not additional plugins have been enabled.

This latest exploit is particularly worrying due to the popularity and prevalence of Struts. The application development framework, which is used to build Java apps, is deployed extensively by Fortune 500 companies.

There are two criteria that an application must meet in order for it to be vulnerable to this threat, which Semmle's team detailed in a blog post. First, the 'alwaysSelectFullNamespace' flag in the Struts configuration must set to true, which "is automatically the case if your application uses the popular Struts Convention plugin".

Secondly, applications must use "actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. "/*"). This applies to actions and namespaces specified in the Struts configuration file (e.g. ), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin".

A similar remote code execution flaw in Struts (CVE-2017-5638) was discovered last year. It was this flaw that hackers exploited to steal more than 147 million people's personal details and financial history from Equifax - a breach that occurred months after the flaw was disclosed and patched.

"This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed," said Mo, the researcher who discovered the flaw, "opening up an attack vector to malicious hackers. On top of that, the weakness is related to the Struts OGNL language, which hackers are very familiar with, and are known to have been exploited in the past."

"On the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September."

Apache has issued patches to address the flaw, and all users of Struts are being urgently advised to update their systems as soon as possible. Semmle has warned that automated scanning tools will likely be available soon, allowing hackers to quickly scan for and exploit the vulnerability.

"Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit", said Semmle co-founder and vice president of QL engineering Pavel Avgustinov.

"A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It's crucially important to update affected systems immediately; to wait is to take an irresponsible risk."

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022