world exit download Cross icon Menu icon

On August 22, 2018, the Apache Software Foundation acknowledged a critical Remote Code Execution (RCE) vulnerability in all versions of Apache Struts 2 [1]. Successful Remote Code Execution could allow threat actors to perform a variety of malicious actions and potentially gain full remote access to the affected system. Previously, exploits for critical vulnerabilities in Apache Struts were developed a short time after disclosure [2]. The prevalence of Apache Struts combined with the potential impact creates considerable motivation for threat actors to weaponize the latest vulnerability. This vulnerability is being publicly tracked as CVE-2018-11776 [3].

What we’re doing about it

  • eSentire Threat Intelligence is closely monitoring this topic for additional information
  • Current esRECON checks identify Apache Struts versions and will be updated to assist in identifying versions affected

What you should be doing about it

  • Upgrade from version 2.3 to 2.3.35 after performing a business impact review
  • Upgrade from version 2.5 to 2.5.17 after performing a business impact review
  • If a temporary solution is required, set namespace for all defined results and set a value or action for all URL tags in JSPs

Additional information

  • All Apache Struts version prior to 2.3.35 or 2.5.17 is vulnerable.
  • The vulnerability in Apache Struts can be exploited when certain non-default configuration settings are in place. The targeted endpoints must be using results with no namespace and its upper action or actions have no or wildcard namespace. The attack may also be possible when using a URL tag without a value or set action [4].

Resources:

[1] S2-057
https://cwiki.apache.org/confluence/display/WW/S2-057

[2] Synopsis: Software Integrity Blog: Examining Apache Struts remote code execution vulnerabilities
https://www.synopsys.com/blogs/software-security/apache-struts-remote-code-execution-vulnerabilities/

[3] Common Vulnerabilities and Exposures CVE-2018-11776
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776

[4] Semmle Discovers Critical Remote Code Execution Vulnerability in Apache Struts (CVE-2018-11776)
https://semmle.com/news/apache-struts-CVE-2018-11776

See the latest security advisories

Articles and reports written by eSentire staff and our Threat Intelligence Research Group.

Ready to get started?
We're here to help.

Get Started
Reach out to schedule a meeting and learn more about our Managed Detection and Response, Risk Advisory, and Managed Prevention capabilities.