A critical remote code-execution vulnerability in Apache Struts 2, the popular open-source framework for developing web applications in the Java programming language, is threatening a wide range of applications, even when no additional plugins have been enabled. Successful exploitation could lead to full endpoint and eventually network compromise, according to researchers – who said that the flaw is more dangerous than the similar vulnerability used to compromise Equifax last year.
The vulnerability (CVE-2018-11776) was patched by the Apache Software Foundation yesterday and affects all supported versions of Struts 2: Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are likely already working on exploits, according to the Semmle research team’s Man Yue Mo, who uncovered the flaw.
“This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,” he said in a posting on Wednesday. “On top of that, the weakness is related to the Struts Object-Graph Navigation Language (OGNL) language, which hackers are very familiar with, and are known to have been exploited in the past.”
OGNL is a powerful, domain-specific language that is used to customize Struts’ behavior.
“On the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,” said Yue Mo, referring to the infamous vulns (CVE-2017-9805) that hackers used to compromise Equifax last year, which led to the lifting of personal details of 147 million consumers.
Tim Mackey, technology evangelist at Synopsys, told Threatpost that this is due to the fact that it affects a wider swath of the Struts architecture.
“In the case of CVE-2018-11776, the root cause [is] a lack of input validation on the URL passed to the Struts framework,” he explained. “The prior [Struts] vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors. CVE-2018-11776 operates at a far deeper level within the code, which in turns requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. It is this level of understanding which is of greatest concern – and this concern relates to any library framework.”
Anatomy of the Flaw
The vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework, according to the team’s findings.
“Attackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request,” they explained. “The value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string.”
Because the issue affects the core of Struts, there are at least two separate attack vectors – and potentially many more.
In the first attack scenario, three Struts result types are unsafe when used without a namespace, as defined in either in the Struts configuration file or in Java code if the Struts Convention plugin is used. These are the redirect action, which redirects the visitor to a different URL; action chaining, which is a method to chain multiple actions into a defined sequence or workflow; and postback result, which renders the current request parameters as a form which immediately submits a postback to the specified destination chain or postback.
The researchers explained: “An example of a struts.xml configuration that is potentially vulnerable: the <action …> tag does not have a namespace attribute and contains a result of type redirectAction. If you use the Struts Convention plugin, you will also have to look for actions and results that are configured using Java code.”
The second attack vector has to do with the fact that Struts supports page templates inside <result> tags in the Struts configuration: “The use of URL tags in such pages is potentially unsafe if the template is referred to from an <action> tag that does not provide a namespace attribute (or specifies a wildcard namespace),” the researchers said. “Your application is vulnerable if the template contains an <s:url …> tag without an action or value attribute.”
Researchers noted that for an exploit for either of the known vectors to be successful, an application must have the alwaysSelectFullNamespace flag set to “true” in the Struts configuration – a default state if the application uses the popular Struts Convention plugin. Also, the application’s actions must be configured without specifying a namespace, or with a wildcard namespace (e.g. “/*”).
“This applies to actions and namespaces specified in the Struts configuration file (e.g. <action namespace=”main”>), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin,” they explained.
That said, they also cautioned that other attack vectors may emerge that apply to different configurations.
“Whether or not a Struts application is vulnerable to remote code execution largely depends on the exact configuration and architecture of the application,” the firm said. “Note that even if an application is currently not vulnerable, an inadvertent change to a Struts configuration file may render the application vulnerable in the future. You are therefore strongly advised to upgrade your Struts components, even if you believe your configuration not to be vulnerable right now.”
This is a critical point, according to Mackey. “Validating the input to a function requires a clear definition of what is acceptable,” he said. “It equally requires that any functions available for public use document how they use the data passed to them. Absent the contract such definitions and documentation form, it’s difficult to determine if the code is operating correctly or not. This contract becomes critical when patches to libraries are issued as its unrealistic to assume that all patches are free from behavioral changes. Modern software is increasingly complex and identifying how data passes through it should be a priority for all software development teams.”
Pavel Avgustinov, vice president of QL Engineering at Semmle, laid out what’s at stake in a media statement: “Critical remote code-execution vulnerabilities like the one that affected Equifax and the one we announced [this week] are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,” he said. “A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.”