By: Michael Monsivais, CISSP
What is the Apache Struts Vulnerability?
You may have seen news reports of a serious security vulnerability in Apache Struts 2, which is a popular open-source framework developers use to create web applications.
The Apache Struts project has just released a security bulletin about a new critical vulnerability in the Apache Struts web application framework.
The identified vulnerability could allow an unauthenticated remote attacker to execute malicious code on affected systems. At the time of the bulletin's release, all installations of Apache Struts were vulnerable.
The vulnerability, identified by Semmle Security Researcher Man Yue Mo, is reminiscent of other Apache Struts vulnerabilities from recent history. It’s a result of the web application framework failing to validate user input before passing it to sensitive internal functions.
The same type of issue led to CVE-2016-3081, and CVE-2016-4438, two other related Apache Struts vulnerabilities. "Effectively the same issue took three attempts to fix,” says Man Yue Mo.
Remote Code Execution (RCE) vulnerabilities like this can have dire consequences, especially in this case, when it may be possible for an unauthenticated attacker to exploit it. Successfully exploiting a RCE vulnerability could allow the attacker to run arbitrary programs, retrieve source code, or exfiltrate data from the application's database.
It was also an Apache Struts RCE vulnerability (CVE-2017-5638) that led to the Equifax breach.
What should you do to avoid a data breach?
You should update to the latest version of Apache Struts. All versions of Apache Struts, except for 2.3.35 and 2.5.17, which were released yesterday, are affected.
Because all versions of Apache Struts are affected by this issue, you are vulnerable and likely exploitable if you have not updated to the most current versions.
The Apache Struts project suggests that exploits may be prevented by adjusting application code. However, they consider this a “weak workaround", and they ask that you upgrade to Apache Struts version 2.3.35 or 2.5.17 as soon as possible, because they also contain critical overall proactive security improvements.
Michael Monsivais is a Senior Penetration Tester at SecurityMetrics. He holds a Certified Information Systems Security Professional (CISSP) certification. He has 8 years experience Penetration Testing and 12 years in System Administration.