Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Exploit for Recent Critical Apache Struts Vulnerability Published

Exploit code for a

Exploit code for a Critical remote code execution vulnerability in Apache Struts 2 was published on GitHub within days after the bug was addressed last week.

Tracked as CVE-2018-11776, the security flaw was found to impact Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the popular Java framework.

In their advisory, code analysis company Semmle, which discovered the flaw and reported it to the Apache Software Foundation in April, explains that the bug affects commonly-used endpoints of Struts, which are likely to be exposed.

To make matters worse, the issue is related to the Struts OGNL (Object-Graph Navigation Language) language, which hackers are often familiar with.

To exploit the bug, attackers need to inject their own namespace as a parameter in an HTTP request. The value of that parameter, the code analysis company reveals, is insufficiently validated by the Struts framework, and can be any OGNL string.

Although only limited details on the vulnerability were made public, a working proof-of-concept (PoC) was published less than two days after the Apache Software Foundation released their advisory.

On Friday, threat intelligence provider Recorded Future revealed that, in addition to the PoC and a Python script that allows for easy exploitation of the vulnerability, they also detected “chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability.”

CVE-2018-11776, Recorded Future says, is even easier to exploit compared to last year’s CVE-2017-5638, the Apache Struts exploit that was at the heart of the Equifax breach. There are hundreds of millions of potentially vulnerable systems, but identification could be challenging, as many are backend application servers.

Advertisement. Scroll to continue reading.

“The new Apache Struts vulnerability is potentially even more damaging than the one from 2017 that was used to exploit Equifax. Unlike that vulnerability, this one does not require any plug-ins to be present in order to exploit it, a simple well-crafted URL is enough to give an attacker access to a victim’s Apache Struts installation and there is already exploit code on Github and underground forums are talking about how to exploit it,” Allan Liska, Senior Security Architect, Recorded Future, said in an emailed comment to SecurityWeek.

Semmle, on the other hand, won’t confirm whether the PoC is working. However, the company does warn that the published code could provide attackers with a quick way into enterprise networks.

“There is always a time lag between the announcement of a patch and a company updating its software. There are many reasons why companies can’t update software like Struts immediately, as it is used for many business-critical operations. We aim to give companies a chance to stay safe by working with Apache Struts to make a coordinated disclosure,” Semmle CEO, Oege de Moor, told SecurityWeek via email.

“The Equifax breach happened not because the vulnerability wasn’t fixed, but because Equifax hadn’t yet updated Struts to the latest version. If this is a true working PoC, then any company who hasn’t had the time to update their software, will now be at even greater risk,” de Moor said.

Related: Critical Apache Struts 2 Flaw Allows Remote Code Execution

Related: One Year Later, Hackers Still Target Apache Struts Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights