alphaspirit - Fotolia
Users of the Apache Struts web application development framework are being urged to update to the latest version after the discovery of a new critical remote code execution vulnerability.
Apache Struts is a popular open source framework for developing web applications in the Java programming language and is widely used by enterprises around the world.
The Apache Software Foundation announced the vulnerability (CVE-2018-11776), which was identified and reported by Man Yue Mo from the Semmle Security Research Team that finds and reports critical vulnerabilities in widely used open source software.
“This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers. On top of that, the weakness is related to the Struts OGNL language, which hackers are very familiar with, and are known to have been exploited in the past,” the researcher said.
Organisations and developers who use Struts are urgently advised to upgrade their Struts components immediately because all applications developed using previous versions of Apache Struts are potentially vulnerable to exploitation of the newly discovered flaw.
Previous disclosures of similarly critical vulnerabilities have resulted in exploits being published within a day, putting critical infrastructure and customer data at risk, the research team warned.
Failure to update to the latest versions of Struts led to the breach of 148 million Equifax records belonging to US consumers and 694,000 UK consumers in 2017, but in May 2018, security firm Sonatype reported that in the year since the breach, thousands of companies had either not updated to patched versions of the software or had downloaded vulnerable versions.
This newly discovered remote code execution vulnerability affects all supported versions of Apache Struts 2 and users of version 2.3 are strongly advised to upgrade to the latest patched version 2.3.35, while users of Struts 2.5 need to upgrade to version 2.5.17.
The vulnerability is located in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations. All applications that use Struts are potentially vulnerable, even when no additional plugins have been enabled, the researchers warn.
Remote code execution (RCE) vulnerabilities are commonly considered to be the most severe type of security issue because they allow attackers to take control of a vulnerable system, providing an entry point into corporate networks that can put both infrastructure and data at risk.
Struts applications are often facing the public internet, and in most situations an attacker does not require any existing privileges to a vulnerable Struts application to launch an attack against it.
Researchers warn it is very easy for an attacker to assess whether an application is vulnerable, and it is likely that dedicated scanning tools will be available soon to enable an attacker to identify vulnerable applications quickly and automatically.
Whether or not a Struts application is vulnerable to remote code execution largely depends on the exact configuration and architecture of the application, the researchers said, adding that even if an application is currently not vulnerable, an inadvertent change to a Struts configuration file may render the application vulnerable in the future, further underlining the need to upgrade all Struts components.
Read more about the Equifax breach
- Heads roll as Equifax reveals 400,000 Britons affected by breach.
- Equifax appears to have failed to roll out a patch that might have stopped the massive breach of its systems.
- Experts criticised the Equifax breach response as insufficient given the size and scope of the data loss, and said the company was likely not prepared for such an incident.
- While doing preparation work for GDPR, organisations should look at the Equifax breach and understand they would have to notify consumers of a problem much sooner.
Critical remote code execution vulnerabilities like the one that affected Equifax and the newly announced vulnerability are “incredibly dangerous” according to Pavel Avgustinov, co-founder and vice president of QL (software analytics) engineering at Semmle.
This is due to the fact that Struts is used for publicly accessible customer-facing websites, that vulnerable systems are easily identified, and that the flaw is easy to exploit.
“A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk,” he said.
The flaw was reported to the Apache Foundation in line with Semmle’s responsible disclosure policy on 10 April 2018. On 25 June 2018, the Apache Struts team published the code change that patches this vulnerability and on 22 August 2018, new versions of Struts were released.
The Semmle Security Research Team said it worked closely with the Struts developers to ensure an effective patch was made available as quickly as possible.
Foundational security issues
Renaud Deraison, co-founder and CTO of Tenable, said the threats most organisations are dealing with today are the result of foundational security issues, like failing to patch systems when a critical vulnerability is disclosed.
“This latest Apache Struts vulnerability is a reminder of the importance of a basic, critical but very unsexy security measure that every organisation should be doing, which is maintaining its systems.
“Many web-based remote code execution vulnerabilities like this one are researched quickly, with publicly available exploits appearing in less than a few days after disclosure.
“As we saw with Equifax, cyber criminals are taking advantage of organisations who are either unwilling or unable to patch their systems, resulting in catastrophic consequences. Don’t let this flaw be the reason for the next mega breach. Upgrade to Apache Struts version 2.3.35 or 2.5.17 as soon as possible.”
Libraries of code
Tim Mackey, technical evangelist at Black Duck by Synopsys, said developers commonly use libraries of code, or development paradigms which have proven efficient, when creating new applications or features, which is a good thing when the library or paradigm is of high quality, but when a security defect is uncovered, this can lead to a pattern of security issues.
“In the case of [the latest vulnerability] CVE-2018-11776, the root cause was a lack of input validation on the URL passed to the Struts framework.
“Unlike CVE-2018-11776, the prior vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviours.
“CVE-2018-11776 operates at a far deeper level within the code which in turns requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. It is this level of understanding which is of greatest concern – and this concern relates to any library framework.
“Validating the input to a function requires a clear definition of what is acceptable. It equally requires that any functions available for public use document how they use the data passed to them. Absent the contract such definitions and documentation form, it’s difficult to determine if the code is operating correctly or not.
“This contract becomes critical when patches to libraries are issued as it is unrealistic to assume that all patches are free from behavioural changes. Modern software is increasingly complex and identifying how data passes through it should be a priority for all software development teams.”