View All Posts

Aug 22

Vulnerability in Apache Struts Could Allow for Remote Code Execution

Posted on August 22, 2018 at 1:11 PM by Kevin Taylor

DATE(S) ISSUED:

08/22/2018

 

SUBJECT:?

A Vulnerability in Apache Struts Could Allow for Remote Code Execution

 

OVERVIEW:

A vulnerability has been discovered in Apache Struts, which could allow for remote code execution. Apache Struts is an open-source, MVC framework for creating Java web applications. Successfully exploiting this vulnerability could allow for remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.

 

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

 

SYSTEMS AFFECTED:

  • Apache Struts versions prior to 2.3.35
  • Apache Struts versions prior to 2.5.17

 

RISK:

Government:

  • Large and medium government entities: High
  • Small government: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: Low

 

TECHNICAL SUMMARY:

A vulnerability has been discovered in Apache Struts, which could allow for remote code execution. Apache Struts is prone to a remote code-execution vulnerability (CVE-2018-11776). Specifically, this issue occurs when handling specially-crafted results with no namespace, or a URL tag without value and action set.

 

Successfully exploiting this vulnerability could allow for remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.

 

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Upgrade to the latest version of Apache Struts immediately, after appropriate testing.
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Apply the principle of Least Privilege to all systems and services.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

 

REFERENCES:???

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11776

 

Apache:

https://cwiki.apache.org/confluence/display/WW/S2-057