By: Michael Monsivais, CISSP
Apache Struts developers released another security announcement on November 5, 2018 -- two and a half months after their last big security bulletin. Although they are warning us of another Remote Code Execution (RCE) bug in the Struts 2 framework, circumstances are a little different this time.
How does the new Struts issue compare to the last one?
You will remember from our previous Apache Struts security bulletin regarding the developers' last bulletin that successfully exploiting an RCE vulnerability could allow the attacker to run arbitrary programs, retrieve source code, or exfiltrate data from the targeted application's database. The RCE vulnerabilities previously reported by Struts were determined to be errors within the Struts code itself. In contrast, this most recent RCE issue was found within a library that is used and shipped with the Struts framework: the Apache Commons FileUpload library.
The Commons FileUpload library is used by Struts to easily add file-upload functionality to web applications. Early in 2016 an RCE vulnerability in the FileUpload library was identified by Jacob Baines, of Tenable Network Security. Near the end of 2016 version 1.3.3 of the Commons FileUpload library was released with a fix for this issue.
Why did it take this long to hear about this vulnerability?
So if this issue was fixed in 2016, why are we only hearing about it now, nearly two years later? Why was it not already addressed by the Struts project? That might be a result of the reaction of the Commons FileUpload developers to the issue. In a message to Tenable, the Commons FileUpload developers said:
Having reviewed your report we have concluded that it does not represent a valid vulnerability in Apache Commons File Upload. If an application deserializes data from an untrusted source without filtering and/or validation that is an application vulnerability not a vulnerability in the library a potential attacker might leverage.
Because of this response, the Tenable researchers concluded:
Per the Apache Software Foundation's response, it is up to each vendor/product that implements this library to ensure that it is done in such a manner that does not allow shenanigans.
It appears that the reluctance of developers to accept blame resulted in a fix being delayed, allowing the issue to be forgotten by the Struts Project. For the past two years, the Struts Project has been packaging the outdated version of Commons FileUpload (1.3.2) with their Struts 2 releases, even though a fixed version (1.3.3) of the Commons FileUpload was available.
The ball is now in Struts users' courts
Last week's security bulletin from Struts, while delayed two years, has now put the ball into their users' courts; it is time for them to update. If you are using Struts version 2.3.36 or previous, this impacts you and you will need to update. However, this time it is not as simple as updating your Struts installation. You will need to update the Commons FileUpload library in your application's
WEB-INF/lib/ path. Replace the
commons-fileupload-1.3.2.jar library with the secured
commons-fileupload-1.3.3.jar file, found here.