Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Exploit for Recent Critical Apache Struts Vulnerability Published

Exploit code for a

Exploit code for a Critical remote code execution vulnerability in Apache Struts 2 was published on GitHub within days after the bug was addressed last week.

Tracked as CVE-2018-11776, the security flaw was found to impact Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the popular Java framework.

In their advisory, code analysis company Semmle, which discovered the flaw and reported it to the Apache Software Foundation in April, explains that the bug affects commonly-used endpoints of Struts, which are likely to be exposed.

To make matters worse, the issue is related to the Struts OGNL (Object-Graph Navigation Language) language, which hackers are often familiar with.

To exploit the bug, attackers need to inject their own namespace as a parameter in an HTTP request. The value of that parameter, the code analysis company reveals, is insufficiently validated by the Struts framework, and can be any OGNL string.

Although only limited details on the vulnerability were made public, a working proof-of-concept (PoC) was published less than two days after the Apache Software Foundation released their advisory.

On Friday, threat intelligence provider Recorded Future revealed that, in addition to the PoC and a Python script that allows for easy exploitation of the vulnerability, they also detected “chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability.”

CVE-2018-11776, Recorded Future says, is even easier to exploit compared to last year’s CVE-2017-5638, the Apache Struts exploit that was at the heart of the Equifax breach. There are hundreds of millions of potentially vulnerable systems, but identification could be challenging, as many are backend application servers.

Advertisement. Scroll to continue reading.

“The new Apache Struts vulnerability is potentially even more damaging than the one from 2017 that was used to exploit Equifax. Unlike that vulnerability, this one does not require any plug-ins to be present in order to exploit it, a simple well-crafted URL is enough to give an attacker access to a victim’s Apache Struts installation and there is already exploit code on Github and underground forums are talking about how to exploit it,” Allan Liska, Senior Security Architect, Recorded Future, said in an emailed comment to SecurityWeek.

Semmle, on the other hand, won’t confirm whether the PoC is working. However, the company does warn that the published code could provide attackers with a quick way into enterprise networks.

“There is always a time lag between the announcement of a patch and a company updating its software. There are many reasons why companies can’t update software like Struts immediately, as it is used for many business-critical operations. We aim to give companies a chance to stay safe by working with Apache Struts to make a coordinated disclosure,” Semmle CEO, Oege de Moor, told SecurityWeek via email.

“The Equifax breach happened not because the vulnerability wasn’t fixed, but because Equifax hadn’t yet updated Struts to the latest version. If this is a true working PoC, then any company who hasn’t had the time to update their software, will now be at even greater risk,” de Moor said.

Related: Critical Apache Struts 2 Flaw Allows Remote Code Execution

Related: One Year Later, Hackers Still Target Apache Struts Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.