Security Alert
Apache Struts Vulnerability
Original date: 22.08.2018
Overall risk classification: HIGH
UPDATE 30.08.2018: An exploit for this vulnerability was published at github [3]. Make sure your Struts is updated!
Overview
Today, the Apache Software Foundation announced a critical remote code execution (RCE) vulnerability in Apache Struts.
Whether this RCE attack can be performed depends on the configuration for namespaces. Affected are situations were namespace is not set or a wildcard is used [1].
If your project is affected, it is strongly recommended to update Struts to the latest version.
Systems Affected
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 [1, 2].
Threat
Risk: HIGH
If your project operates Apache Struts in a vulnerable version, the application is potentially vulnerable to remote code execution.
Remote code execution vulnerabilities allow attackers to take control of a vulnerable system. This can provide a hacker with an entry point into your corporate networks, and can put both infrastructure and data at risk.
Exploitability: MEDIUM
Whether or not a Struts application is vulnerable to remote code execution largely depends on the exact configuration and architecture of the application. Details can be found in the original advisory [1] or here: https://semmle.com/news/apache-struts-CVE-2018-11776#was-i-vulnerable [2].
Priority (for affected, internet-exposed systems): HIGH
Priority (for internal systems): MEDIUM
Mitigation
A patched version has been released today.
Users of Struts 2.3 are strongly advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17 [1].
If your system is vulnerable but Struts cannot be updated immediately, the advisory in [1] describes a workaround. However, this should only be applied as a short-term solution which does not replace a Struts update as soon as possible.
Author
Martin Schöne
References
[1] https://cwiki.apache.org/confluence/display/WW/S2-057
[2] https://semmle.com/news/apache-struts-CVE-2018-11776
[3] https://github.com/mazen160/struts-pwn_CVE-2018-11776
