The latest version of Apache Struts 2 addresses several vulnerabilities, including a critical remote code execution flaw for which an exploit was created within hours after the release of a patch.
Apache Struts is a free and open-source framework designed for creating modern Java web applications. The framework is reportedly used by at least 65 percent of Fortune 100 companies, and they could all be exposed to attacks due to a recently discovered security hole.
Researchers at lgtm, a company that provides code analysis solutions, discovered that all versions of Apache Struts released since 2008 are affected by a severe vulnerability related to the REST communication plugin.
The Apache Struts group has described the flaw, tracked as CVE-2017-9805, as a potential remote code execution issue when the REST plugin is used with the XStream handler for XML payloads.
The security hole exists due to the way Struts deserializes untrusted data. Serialization is the process where an object is converted to a stream of bytes in order to store or transmit that object to memory or a file. The process in which serialized data is extracted is called deserialization.
Deserialization can introduce serious security problems if not handled properly, as demonstrated by the significant number of vulnerabilities discovered in the past years, including in Android, Java application servers, the Java implementation of Adobe’s Action Message Format (AMF3), and PayPal.
The CVE-2017-9805 vulnerability was reported to the Apache Struts team on July 17 and it was patched on Tuesday with the release of Struts 2.5.13. Users have been advised to update their installations as soon as possible.
While lgtm has not published its exploit in order to give organizations time to update their Apache Struts 2 components, an exploit and a module for the Metasploit pentesting tool have already been made available. Given the popularity of Apache Struts, attacks in the wild leveraging the vulnerability will likely be seen in the next days.
“The Struts framework is used by an incredibly large number and variety of organizations. This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications,” explained Man Yue Mo, one of the lgtm researchers who discovered the flaw. “Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser. Organizations who use Struts should upgrade their components immediately.”
This is the second critical vulnerability found in Apache Struts 2 this year. The first flaw, CVE-2017-5638, has been exploited in the wild since March.