Apache Struts RCE

Apache Struts RCE


Overview

A vulnerability has been discovered in Apache Struts, which could allow for remote code execution. Apache Struts is an open-source, MVC framework for creating Java web applications. Successfully exploiting this vulnerability could allow for remote code execution in the context of the affected application.

Threat Intelligence

The Masergy Threat Intelligence Team is aware of working proof of concepts being publicly available as well as attackers probing for this vulnerability.

Technical Summary

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from potential Remote Code Execution when using results with no namespace or when using an url tag which doesn’t have both a value and action set. Both of these conditions are only present when the “alwaysSelectFullNamespace” flag is set to true in the configuration for Apache Struts as well as the application’s configuration file contains an action tag that does not specify the namespace attribute or specify a wildcard namespace.

Recommendations

We recommend the following actions be taken:

  • Upgrade to the latest version of Apache Struts immediately, after appropriate testing.
  • Verify no unauthorized activity has occurred on system before applying the patch.

Patches

Apache has released Struts 2.3.35 and 2.5.17:

References

Vulnerabilities

  • CVE-2018-11776 – Tracked as S2-057 by Apache, rated Critical

Systems Affected

  • Systems using Apache Struts versions 2.3 to 2.3.34
  • Systems using Apache Struts versions 2.5 to 2.5.16
  • Unsupported Struts versions may also be affected.

We've updated our privacy policy. We use cookies to improve the experience of our users, better understand how our website is used, and personalize advertising. By continuing to use this site you are giving us your consent to do this. You can read more and make cookie choices by visiting our privacy policy.