Recent findings by security researchers have uncovered a severe remote code execution vulnerability within the widely used Apache Struts web application framework. This flaw allows remote attackers to execute arbitrary code on compromised servers, posing significant risks to organizations leveraging this technology.
Apache Struts, a free and open-source Model-View-Controller (MVC) framework, is integral for developing Java-based web applications, including support for REST, AJAX, and JSON functionalities. The identified vulnerability, cataloged as CVE-2017-9805, results from a coding error related to how Struts processes data from untrusted sources. Specifically, the Struts REST plugin fails to properly manage XML payloads during deserialization, which could be exploited by malicious actors.
The vulnerability affects all versions of Apache Struts released since 2008, spanning Struts 2.1.2 to Struts 2.5.12. As a result, any web application utilizing the framework’s REST functionalities is vulnerable to these exploits. Notably, this includes implementations by high-profile organizations such as Lockheed Martin, Vodafone, Virgin Atlantic, and the Internal Revenue Service (IRS).
According to Man Yue Mo, a security researcher at LGTM who identified this weakness, attackers can easily exploit this flaw using just a web browser. By submitting malicious XML code formatted in a specific way, an attacker could trigger the vulnerability and potentially gain complete control of the targeted server. This level of access may enable the attacker to infiltrate additional systems within the same network.
The malicious activity reflects tactics similar to those seen in prior vulnerabilities, such as the unsafe deserialization issues found in Apache Commons Collections—a flaw disclosed by Chris Frohoff and Gabriel Lawrence in 2015, which also facilitated arbitrary code execution. Numerous Java applications have subsequently grappled with related vulnerabilities, demonstrating the ongoing risks associated with unsecured deserialization processes.
This critical vulnerability has been addressed in Struts version 2.5.13, prompting an urgent call for system administrators to upgrade their Apache Struts installations to mitigate potential risks. While researchers have not yet released comprehensive technical details or proof of concept regarding this vulnerability, organizations are advised to act swiftly to reinforce their defenses.
As businesses consider their cybersecurity strategies, awareness of such vulnerabilities and the attack vectors they exploit becomes crucial. Understanding the MITRE ATT&CK framework can provide insights into the tactics involved, which in this case could include initial access, exploitation, and execution, highlighting the need for robust security measures against potential adversaries.
In summary, organizations leveraging Apache Struts must prioritize upgrades and boost their cybersecurity posture to safeguard against these significant vulnerabilities that could allow remote attackers unchecked access to sensitive systems. Keeping abreast of the latest security advisories and implementing timely patches remains essential in defending against evolving cyber threats.