What is the Issue?
Apache Struts web framework versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from a critical Remote Code Execution vulnerability that could be exploited by attackers to fully control the application. Apache Struts 2 is a powerful, open-source framework for Java-based web applications, and there’s widespread use of outdated, vulnerable versions of Struts. Any organization using a vulnerable version can be quickly compromised using this RCE vulnerability.
Why is this noteworthy?
The last time a critical vulnerability was found, it was being exploited in the wild just a day later. The vulnerability is within the core code of Struts, so no additional modules or plugins are needed to enable it. If your configuration matches either of two known conditions, then you would be vulnerable. The vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework and can allow bad actors to carry out remote code execution against vulnerable servers and websites.
What is the exposure or risk?
Information exposure and exfiltration of data are the biggest risks that companies can face if this vulnerability is not patched. In May, Equifax was breached using a Strut’s vulnerability, resulting in exposed information of 146.6 million U.S. individuals, 15 million U.K. consumers and 8,000 Canadian consumers.
What are the recommendations?
Urgent updates are necessary. SKOUT recommends users of Struts 2.3 to upgrade to version 2.3.35, and users of Struts 2.5 to upgrade to 2.5.17 as quickly as possible.
References:
- https://www.bankinfosecurity.com/apache-struts-issues-emergency-patch-to-fix-critical-flaw-a-11412
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776
If you have any questions, please contact our Security Intelligence Center.