eSentire White Logo

Security advisories | Feb 27, 2019

RCE Vulnerability in Apache Struts

On August 22, 2018, the Apache Software Foundation acknowledged a critical Remote Code Execution (RCE) vulnerability in all versions of Apache Struts 2 [1]. Successful Remote Code Execution could allow threat actors to perform a variety of malicious actions and potentially gain full remote access to the affected system. Previously, exploits for critical vulnerabilities in Apache Struts were developed a short time after disclosure [2]. The prevalence of Apache Struts combined with the potential impact creates considerable motivation for threat actors to weaponize the latest vulnerability. This vulnerability is being publicly tracked as CVE-2018-11776 [3].

What we’re doing about it

  • eSentire Threat Intelligence is closely monitoring this topic for additional information
  • Current esRECON checks identify Apache Struts versions and will be updated to assist in identifying versions affected

What you should be doing about it

  • Upgrade from version 2.3 to 2.3.35 after performing a business impact review
  • Upgrade from version 2.5 to 2.5.17 after performing a business impact review
  • If a temporary solution is required, set namespace for all defined results and set a value or action for all URL tags in JSPs

Additional information

  • All Apache Struts version prior to 2.3.35 or 2.5.17 is vulnerable.
  • The vulnerability in Apache Struts can be exploited when certain non-default configuration settings are in place. The targeted endpoints must be using results with no namespace and its upper action or actions have no or wildcard namespace. The attack may also be possible when using a URL tag without a value or set action [4].


[1] S2-057

[2] Synopsis: Software Integrity Blog: Examining Apache Struts remote code execution vulnerabilities

[3] Common Vulnerabilities and Exposures CVE-2018-11776

[4] Semmle Discovers Critical Remote Code Execution Vulnerability in Apache Struts (CVE-2018-11776)