"Incredibly dangerous" RCE flaw found in Apache Struts 2

Security researchers have discovered another critical security flaw in Apache Struts 2, with experts indicating that it could lead to a breach on a similar scale to the Equifax hack revealed last year.

Man Yue Mo, researcher from Semmle Security Research Team, discovered the remote code execution flaw, which is caused by insufficient validation of untrusted user data. Attackers can exploit the flaw simply by visiting a specific URL on the target server.

The vulnerability, which is designated CVE-2018-11776, affects "all supported versions of Apache Struts 2", and stems from the core of the software, meaning that all implementations are affected regardless of whether or not additional plugins have been enabled.

This latest exploit is particularly worrying due to the popularity and prevalence of Struts. The application development framework, which is used to build Java apps, is deployed extensively by Fortune 500 companies.

There are two criteria that an application must meet in order for it to be vulnerable to this threat, which Semmle's team detailed in a blog post. First, the 'alwaysSelectFullNamespace' flag in the Struts configuration must set to true, which "is automatically the case if your application uses the popular Struts Convention plugin".

Secondly, applications must use "actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. "/*"). This applies to actions and namespaces specified in the Struts configuration file (e.g. ), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin".

A similar remote code execution flaw in Struts (CVE-2017-5638) was discovered last year. It was this flaw that hackers exploited to steal more than 147 million people's personal details and financial history from Equifax - a breach that occurred months after the flaw was disclosed and patched.

"This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed," said Mo, the researcher who discovered the flaw, "opening up an attack vector to malicious hackers. On top of that, the weakness is related to the Struts OGNL language, which hackers are very familiar with, and are known to have been exploited in the past."

"On the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September."

Apache has issued patches to address the flaw, and all users of Struts are being urgently advised to update their systems as soon as possible. Semmle has warned that automated scanning tools will likely be available soon, allowing hackers to quickly scan for and exploit the vulnerability.

"Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit", said Semmle co-founder and vice president of QL engineering Pavel Avgustinov.

"A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It's crucially important to update affected systems immediately; to wait is to take an irresponsible risk."

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.