Fix Apache Struts 2 (CVE-2018-11776)

By : admin In: Uncategorized August 28, 2018
Note: “If you use Apache Struts in your environment, PATCH IT NOW.”  

Apache Struts is all over again within the news for critical bugs in its code, and also the Apache software Foundation declared a critical remote code execution vulnerability within the widespread open source framework for developing internet applications in Java.

The vulnerability ID, assigned CVE-2018-11776 was first discovered in April of this year is a group of vulnerabilities of the identical kind. The vulnerability involves the injection of a payload as unvalidated input into a Struts application which is later evaluated and used to cause remote code execution.

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from potential Remote Code Execution when using results with no namespace, and in the same time, its upper action(s) have no or wildcard namespace. The same possibility when using URL tag which doesn't have value and action set and in the same time, its upper action(s) have no or wildcard namespace.

So, few questions can be raised like how the vulnerability work? What is the namespace? How to trigger the issue?

A namespace in struts is a group of actions. Two actions with the same name can exist in two different namespaces and have different behavior. Let's suppose that we have a web app named "avengers", and after deploying avengers.war we have:

http://localhost/avengers/index.action, where / is the namespace and index.action is the action or we have: http://localhost/avengers/ironman/jarvis.action, where /ironman is the namespace and jarvis.action is the action

The problem occurs when the web application uses an action without specifying any namespace, or it uses a wildcard namespace like /*. If Struts can't find any namespace for the given action, it will take a user-specified namespace and evaluates it as an OGNL expression, allowing the attacker to exploits a Remote Code Execution / Remote Command Execution on the web application.

like: ${1+1} // return 2 Or to exploit a Remote Code Execution:
provensecurity ${ ( #_memberAccess["allowStaticMethodAccess"]=true, #w=@java.lang.Runtime@getRuntime().exec('cat /etc/passwd').getInputStream(), #x=new java.io.InputStreamReader(#w), #y=new java.io.BufferedReader(#x), #z=new char[51020], #y.read(#z), #provensecurity=@org.apache.struts2.ServletActionContext@getResponse().getWriter(), #provensecurity.println(#d), #provensecurity.close() ) }

As you can see, the OGNL above executes cat /etc/passwd and prints out the standard output buffer of the executed command. You can also use some script to check the vulnerable server.


Patch: You can upgrade to Struts 2.3.35 or Struts 2.5.17.