A vulnerability has been discovered in Apache Struts, which could allow for remote code execution. Apache Struts is an open-source, MVC framework for creating Java web applications. Successfully exploiting this vulnerability could allow for remote code execution in the context of the affected application.
The Masergy Threat Intelligence Team is aware of working proof of concepts being publicly available as well as attackers probing for this vulnerability.
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from potential Remote Code Execution when using results with no namespace or when using an url tag which doesn’t have both a value and action set. Both of these conditions are only present when the “alwaysSelectFullNamespace” flag is set to true in the configuration for Apache Struts as well as the application’s configuration file contains an action tag that does not specify the namespace attribute or specify a wildcard namespace.
We recommend the following actions be taken:
- Upgrade to the latest version of Apache Struts immediately, after appropriate testing.
- Verify no unauthorized activity has occurred on system before applying the patch.
Apache has released Struts 2.3.35 and 2.5.17:
- CVE-2018-11776 – Tracked as S2-057 by Apache, rated Critical
- Systems using Apache Struts versions 2.3 to 2.3.34
- Systems using Apache Struts versions 2.5 to 2.5.16
- Unsupported Struts versions may also be affected.