New critical Apache Struts hole allows remote code execution

Security researchers have discovered a serious vulnerability in the open source Apache Struts web application framework that attackers can exploit to run arbitrary code on target systems.

Struts series 2.3 software up to version 2.3.34 and 2.5 series to version 2.5.16 are affected by the vulnerability, the Apache Foundation said in its advisory on the CVE-2018-11776 flaw.

Researcher Man Yue Mo of security vendor Semmle is credited with finding the vulnerability, which allows for remote code execution if Struts result with no or wildcard namespace, is used in configuration files.

Similarly, attackers can use url tags in page templates configured without the value and action parameters set for remote code execution.

"Attackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request.

"The value of that parameter is insufficiently validated by the Struts framework, and can be any Object-Graph Navigation Language string," Mo said.

In most situations, attackers do not require any existing privileges on vulnerable Struts applications for exploitation of the flaw.

Mo noted in the report on the flaw that it's easy for attackers to scan for vulnerable systems on the internet. He expects dedicated tools that scan for vulnerable Struts applications and automatically attack them to be available soon.

The Apache Foundation has confirmed the vulnerability and issued updated versions of Struts. Administrators are advised to upgrade to versions 2.3.35 or 2.5.17 which contain security fixes.

Apache Struts is a Java-based framework for building web applications that is popular with enterprise users.

A vulnerability in Struts was behind the large-scale hack on United States credit rating agency Equifax last year, in which details of 147 million consumers were leaked. 

The Equifax data breach is thought to be one of the most costly ones so far, leading to losses over US$600 million (A$828 million).