"Incredibly dangerous" RCE flaw found in Apache Struts 2

Experts indicate it could lead to a second Equifax-level data breach

Security researchers have discovered another critical security flaw in Apache Struts 2, with experts indicating that it could lead to a breach on a similar scale to the Equifax hack revealed last year.

Man Yue Mo, researcher from Semmle Security Research Team, discovered the remote code execution flaw, which is caused by insufficient validation of untrusted user data. Attackers can exploit the flaw simply by visiting a specific URL on the target server.

The vulnerability, which is designated CVE-2018-11776, affects "all supported versions of Apache Struts 2", and stems from the core of the software, meaning that all implementations are affected regardless of whether or not additional plugins have been enabled.

This latest exploit is particularly worrying due to the popularity and prevalence of Struts. The application development framework, which is used to build Java apps, is deployed extensively by Fortune 500 companies.

There are two criteria that an application must meet in order for it to be vulnerable to this threat, which Semmle's team detailed in a blog post. First, the 'alwaysSelectFullNamespace' flag in the Struts configuration must set to true, which "is automatically the case if your application uses the popular Struts Convention plugin".

Advertisement - Article continues below

Secondly, applications must use "actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. "/*"). This applies to actions and namespaces specified in the Struts configuration file (e.g. ), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin".

A similar remote code execution flaw in Struts (CVE-2017-5638) was discovered last year. It was this flaw that hackers exploited to steal more than 147 million people's personal details and financial history from Equifax - a breach that occurred months after the flaw was disclosed and patched.

"This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed," said Mo, the researcher who discovered the flaw, "opening up an attack vector to malicious hackers. On top of that, the weakness is related to the Struts OGNL language, which hackers are very familiar with, and are known to have been exploited in the past."

"On the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September."

Apache has issued patches to address the flaw, and all users of Struts are being urgently advised to update their systems as soon as possible. Semmle has warned that automated scanning tools will likely be available soon, allowing hackers to quickly scan for and exploit the vulnerability.

"Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit", said Semmle co-founder and vice president of QL engineering Pavel Avgustinov.

"A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It's crucially important to update affected systems immediately; to wait is to take an irresponsible risk."

Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now



Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Amazon Web Services (AWS)

What to expect from AWS Re:Invent 2019

29 Nov 2019

Raspberry Pi 4 owners complain of broken Wi-Fi when using HDMI

29 Nov 2019
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019