On August 22 2018, the Apache Software Foundation acknowledged a critical Remote Code Execution (RCE) vulnerability in all versions of Apache Struts 2 [1]. Successful Remote Code Execution could allow threat actors to perform a variety of malicious actions and potentially gain full remote access to the affected system. Previously, exploits for critical vulnerabilities in Apache Struts were developed a short time after disclosure [2]. The prevalence of Apache Struts combined with the potential impact creates considerable motivation for threat actors to weaponize the latest vulnerability. This vulnerability is being publicly tracked as CVE-2018-11776 [3].

What we’re doing about it

  • eSentire Threat Intelligence is closely monitoring this topic for additional information
  • Current esRECON checks identify Apache Struts versions, and will be updated to assist in identifying versions affected

What you should be doing about it

  • Upgrade from version 2.3 to 2.3.35 after performing a business impact review
  • Upgrade from version 2.5 to 2.5.17 after performing a business impact review
  • If a temporary solution is required, set namespace for all defined results and set a value or action for all URL tags in JSPs

Additional information

  • All Apache Struts version prior to 2.3.35 or 2.5.17 are vulnerable.
  • The vulnerability in Apache Struts can be exploited when certain non-default configuration settings are in place. The targeted endpoints must be using results with no namespace and its upper action or actions have no or wildcard namespace. The attack may also be possible when using a URL tag without a value or set action [4].

Resources:

[1] https://cwiki.apache.org/confluence/display/WW/S2-057

[2] https://www.synopsys.com/blogs/software-security/apache-struts-remote-code-execution-vulnerabilities/

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776

[4] https://semmle.com/news/apache-struts-CVE-2018-11776

eSentire Media Contacts

Rebecca Freiburger | eSentire | [email protected]

Angela Tuzzo | MRB Public Relations | [email protected] | +1 732.758.1100 x105 | @MRB_PR

Ready to start the conversation about cybersecurity?

Let's Talk