Critical Vulnerability Discovered in Apache Struts Framework
A significant remote code execution vulnerability, designated CVE-2018-11776, has been disclosed in the widely used Apache Struts web application framework, which is crucial for numerous businesses globally. Semmle security researcher Man Yue Mo revealed that this flaw could enable remote attackers to execute malicious code on affected servers, potentially leading to unauthorized access and control.
Apache Struts, an open-source framework for developing Java web applications, is integral to many enterprises, with approximately 65 percent of Fortune 100 companies utilizing it, including major names like Vodafone, Lockheed Martin, and the IRS. The vulnerability arises from insufficient validation of untrusted user inputs when the framework is configured in specific ways. This oversight puts numerous applications at risk, especially those running versions Struts 2.3 through 2.3.34 and Struts 2.5 through 2.5.16, along with some unsupported versions.
The exploit can be easily triggered by accessing a specially crafted URL on an affected server, allowing attackers to execute arbitrary code. With such an entry point, attackers can elevate their control over the targeted server, presenting severe security implications for organizations that rely on this framework. Mo cautioned that the risk is exacerbated by the fact that commonly used endpoints in Struts are likely to be exposed, thereby opening a pathway for attacks.
Organizations using Apache Struts should be particularly vigilant. The risk of exposure increases if configurations include the alwaysSelectFullNamespace flag set to true, and if the application does not specify an optional namespace attribute within its action or URL tags. Altering a Struts configuration file inadvertently could render non-vulnerable applications susceptible to this serious flaw.
Highlighting the gravity of the situation, industry experts point to prior incidents, such as the Equifax breach, where the exploitation of a similar Apache Struts vulnerability led to exposure of sensitive information for 147 million consumers. This attack not only had severe financial repercussions—exceeding $600 million—but also illustrates the ease with which hackers can exploit such vulnerabilities. Pavel Avgustinov, Co-founder and VP at Semmle, emphasized that systems running publicly accessible websites are especially daunting targets, where compromised systems can be turned against the organization in a matter of minutes.
In response to the urgency of this threat, Apache Struts has released patched versions 2.3.35 and 2.5.17. Organizations are strongly advised to upgrade their installations promptly to mitigate risks. Given the swift response of attackers to exploit vulnerabilities—evident in the rapid publication of proof-of-concept exploits following prior disclosures—proactive measures must be prioritized.
This incident underscores a larger trend in which critical vulnerabilities, like the one in Apache Struts, pose a continuous threat to organizations. It serves as a reminder that even well-protected configurations can become vulnerable with minimal changes, urging businesses to maintain vigilance and ensure their software is up to date. The impact of such vulnerabilities can be profound, not only in terms of financial loss but also regarding trust and reputation in today’s increasingly interconnected business landscape.
As of today, a proof-of-concept exploit related to the newly discovered RCE vulnerability has already been made publicly available, heightening the need for immediate action among affected organizations. The stakes are high, and the call for prompt remediation could not be more critical.
