Critical Remote Code Execution Vulnerability (CVE-2018-11776) Found in Apache Struts
Users of the Apache Struts are urged to update to its latest version after security researchers uncovered a critical remote code execution (RCE) vulnerability in the popular open-source Java-based web application development framework. The Apache Software Foundation accordingly issued a security advisory (S2-057) that provides technical details and guidelines on the security flaw.
What is the vulnerability about?
The security flaw (CVE-2018-11776) is caused by insufficient validation of untrusted user data in the core of the Struts framework. This causes Object-Graph Navigation Language (OGNL) expressions — used to set properties in Java objects — sent through crafted Hypertext Transfer Protocol (HTTP) requests to be evaluated, which can lead to potential RCE.
Depending on the Struts configuration, attackers can execute remote code on a server when they send a malicious HTTP request with an OGNL expression in the Uniform Resource Identifier (URI) query, which is used to identify resources (e.g., documents).
Based on previous RCE vulnerabilities in Apache Struts, many involved using OGNL expressions. Using OGNL could make it easy for attackers to execute arbitrary code remotely as Apache Struts uses OGNL for most of its processes.
[InfoSec Guide: Mitigating Web Injections]
Who is affected by this vulnerability?
Users of Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 are affected. Note that whether or not an Apache Struts-based web application is vulnerable to this security flaw largely depends on its exact configuration and architecture.
What is the impact?
The worst-case scenario is malicious code being remotely executed on the vulnerable server. Given how ubiquitous Apache Struts is in web application development, the impact can be daunting, given that the framework is being used by at least 65 percent of Fortune 100 businesses. The Equifax data breach, which was caused by a vulnerability in Apache Struts, is a case in point, exposing the personally identifiable information of 145.5 million U.S. citizens.
Conversely, there are caveats to successfully exploiting this vulnerability. For example, the hacker must be able to know which web application and what “action” is susceptible to the security flaw. In terms of actions, the result type (i.e., values or code returned to a query) should be a redirect action, action chaining, or postback result. In another attack vector, the hacker must know which templates and parameter to be attacked.
[READ: Vulnerabilities in Banking-Related Web Applications Highlight Significance of Secure DevOps]
What does this vulnerability mean for developers and security teams?
For web application developers, particularly those adopting DevOps, security shouldn’t be sacrificed. While rapid development and delivery helps enrich customer and user experience, applications should also be secure by design. As recent data breaches have shown, a vulnerable web application framework, server, or network can cause significant damage beyond an enterprise’s bottom line.
On the other hand, security teams should empower development, operations, and other IT teams to adopt security in their business processes. Baking security into an application development life cycle, for instance, will help quickly identify if the version of Apache Struts being used is unsecure. Also, through automated tools, security and development teams can determine if risks are being introduced through third-party components. And true to the DevOps culture, these can help promptly uncover and address vulnerabilities.
Trend Micro Solutions
The Trend Micro™ Deep Security™ solution provides virtual patching that protects servers and endpoints from threats that abuse vulnerabilities in critical applications such as Apache Struts. The Trend Micro™ TippingPoint® system provides virtual patching and extensive zero-day protection against network-exploitable vulnerabilities via DigitalVaccine™ filters. The Trend Micro™ Deep Discovery™ solution provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats even without any engine or pattern update.
The Trend Micro Deep Security solution protects user systems from any threat that might target the aforementioned vulnerability via the following deep packet inspection (DPI) rules:
- 1009265 - Apache Struts OGNL Expression Remote Command Execution Vulnerability (CVE-2018-11776)
- 1008610 - Block Object-Graph Navigation Language (OGNL) Expressions Initiation In Apache Struts HTTP Request
Customers of the Trend Micro TippingPoint system are protected from threats that might exploit the vulnerability via this DVToolkit filter:
- C1000001: HTTP: OGNL Entity Usage in an HTTP URI
- 2726 - CVE-2018-11776 - APACHE STRUTS RCE EXPLOIT - HTTP(Request)
With insights from William Gamazo Sanchez and Shriram Rananavare (Trend Micro Vulnerability Researchers)
Updated as of August 27, 2018, 7:33 PM PDT, to include solution for Trend Micro Deep Discovery.
Updated as of August 28, 2018, 2:13 AM PDT, to clarify the caveats to exploiting the vulnerability.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.