What Is the Security Vulnerability?
This vulnerability was originally discovered by Man Yue Mo of the Semmle security research team and privately disclosed to the Apache Struts team in April 2018. This vulnerability was discovered in Apache Struts versions below 2.3.34 and 2.5.16 that have the following configuration options set per the Apache Struts 2 Security Bulletin:
“It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: namespace value isn’t set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace and same possibility when using url tag which doesn’t have value and action set and in same time, its upper package configuration have no or wildcard namespace.”
This vulnerability was issued number CVE-2018-11776 in the Common Vulnerabilities and Exposures (CVE) database. It was not long after the public disclosure of the vulnerability in August 2018 that various proof-of-concept exploit codes were released, which can heighten the risk of an attacker using this vulnerability to compromise a system.
Apache Struts 2 History
This is not the first vulnerability from Struts — the framework has had similar bugs in the past. CVE-2017-5638, another critical remote code execution vulnerability, was reported to have been used in the Equifax breach in 2017. Any application with this kind of history of issues warrants keeping a close eye on for future problems.
How to Fix It?
In order to fix this issue, you must upgrade any instances of Apache Struts 2 to at least v.2.3.35 or v.2.5.17. Many vendors who utilize Struts in their products have also released security notices and upgrades. Some of the vendors whom have released notices include Cisco, NetApp, Aruba, Oracle and Red Hat. Overall, keeping up with patching of the software and firmware in your environment is the first step to protecting yourself from being compromised.