

Disturbing Secrets Of The Deep And Dark Web
August 22, 2018
Rewterz Threat Advisory – Red Hat Update for postgresql
August 24, 2018
Disturbing Secrets Of The Deep And Dark Web
August 22, 2018
Rewterz Threat Advisory – Red Hat Update for postgresql
August 24, 2018A remote code execution vulnerability exists in various versions of Apache Struts which may take over the control of a system in case a successful attack.
IMPACT: HIGH
PUBLISH DATE: 23-08-2018
OVERVIEW
An independent security research group Semmle has released a finding confirmed by the Apache Foundation that a critical remote code execution flaw exists in the popular Struts 2 open source framework. This vulnerability is located in the core of Apache Struts 2 and impacts all supported versions of Struts 2.
The vulnerability originates from the insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations. The exploit can be triggered just by visiting a specially crafted URL on the affected web server. It enables the attackers to execute malicious code and eventually take complete control over the targeted server on which the vulnerable application is running.
ANALYSIS
The vulnerability involves the injection of a payload as unvalidated input into a Struts application which is then evaluated and used to cause a remote code execution.
The exploit uses an obscure expression language called OGNL, used by only a few Java based frameworks such as Struts and Spring Web Flow. The OGNL expression payload results in a remote code execution that affects Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16.
The vulnerability exists because the affected software insufficiently validates user-supplied input, allowing the use of results with no namespace value and the use of URL tags with no value or action. In cases where upper actions or configurations also have no namespace or a wildcard namespace, an attacker could exploit this vulnerability by sending a request that submits malicious input to the affected application for processing.
Successful exploitation leads to execution of an arbitrary code in the security context of the targeted system or the affected application.
AFFECTED PRODUCTS
Apache Struts versions:
- 2.3 to 2.3.34 • 2.5 to 2.5.16
VULNERABILITY INDICATORS
All applications that use Apache Struts supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) are potentially vulnerable to this flaw, even without enabling any additional plugins.
The following conditions indicate that Apache Struts is vulnerable to the Remote Code Execution flaw:
- The “alwaysSelectFullNamespace” flag is set to true in the Struts configuration.
- Struts configuration file contains an “action” or “URL” tag that does not specify the optional namespace attribute or specifies a wildcard namespace.
MITIGATION
Apache Struts has fixed the vulnerability with the release of Struts versions 2.3.35 and 2.5.17. Both of these versions contain the security fixes only, and no backward incompatibility issues are expected. All clients using vulnerable versions of the Apache Struts are advised to upgrade to the patched versions as soon as possible.