Apache Struts 2 Users Urged to Patch Critical Security Vulnerability

Users should immediately patch a “critical” remote code execution security vulnerability in the open-source Apache Struts 2 Java application development framework to protect against potentially harmful attacks.

The vulnerability, reported by Man Yue Mo from Semmle Security Research, can allow possible remote code execution (RCE) by an attacker, according to an announcement from the Apache Software Foundation.

Affected are Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16.

The RCE attack can successfully occur “when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace,” according to Man Yue Mo’s report. “Same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.”

All Struts 2 developers and users should immediately upgrade their Apache Struts applications to version 2.3.35 or 2.5.17 to protect against the latest vulnerability, according to the Apache Software Foundation. Both new versions 2.3.35 and 2.5.17 contain the security fixes only, and no backward incompatibility issues are expected, Apache said.

Users should also verify that they have set the namespace for all defined results in underlying configurations to block attackers and should also verify that they have set value or action for all url tags in their JavaServer Pages.

“Both are needed only when their upper action(s) configurations have no or wildcard namespace.”

In its own announcement about the vulnerability, Semmle Research said that “organizations and developers who use Struts are urgently advised to upgrade their Struts components immediately. Previous disclosures of similarly critical vulnerabilities have resulted in exploits being published within a day, putting critical infrastructure and customer data at risk.”

The vulnerability is located in the core of Apache Struts and all applications that use Struts are potentially vulnerable, even when no additional plug-ins have been enabled.

Remote code execution vulnerabilities are the most severe type of security issue because they allow attackers to take control of a vulnerable system, giving them an entry point into corporate networks where infrastructure and data can be placed at risk, Semmle said. 

Struts applications are more vulnerable because they don’t require any existing privileges for an attack to be launched against them and because it’s often easy for an attacker to assess whether an application is vulnerable.

“This vulnerability affects commonly used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,” Man Yue Mo said. “On top of that, the weakness is related to the Struts OGNL language, which hackers are very familiar with, and are known to have been exploited in the past. On the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September.”

Brian Fox, the CTO of open-source security vendor Sonatype and an active member and code committer with the Apache Software Foundation, told Channel Futures that Man Yue Mo’s research also found that other potential threat scenarios could exist in the code outside the ones addressed by the new patches.

“It means you can’t let your guard down for more potential upgrades in the future,” said Fox.

Brian Fox

By updating Struts 2 versions to the new code, users can close the attack opportunities today, he said.

“But given that it’s a remote exploit, merely updating doesn’t mean you are off the hook.”

Companies and users then must assess their systems to see if any damage has been done by any attackers, including whether any back doors have been installed, he said.

“If they look at their configurations and determine they are potentially vulnerable, they will want to look at their logs to see if they are having any unusual behavior in the systems.”

Amy DeMartine, an analyst with Forrester, said that to prevent such attacks, it’s recommended that all websites be protected by runtime protection tools such as a web application firewall (WAF), as well as a runtime application self-protection tool (RASP). 

Amy DeMartine

“However, you never want that to be your only protection — we recommend a zero-trust architecture where there is no network perimeter to protect applications and the data they use and create,” she said. “And fixing the affected systems is the best protection of all and reduces any lag time that runtime protection takes to remediate issues in real time. In many firms, not all websites have runtime protection either because they aren’t deemed critical or because they aren’t visible to the security team.”

That’s not a good practice, she said, because it means the systems will not have runtime protection and might not be patched. 

“For those organizations who want to move to being proactive and not reactive (Struts 2 has a laundry list of vulnerabilities associated with it), software composition analysis tools (SCA) can scan applications before they are released, showing which components are vulnerable so that they are fixed in development,” said DeMartine. “Additionally, most SCA vendors will proactively notify a company if they have a newly identified vulnerable component for faster and targeted patching.”

Open-source users should also work hard to keep up to date on the versions of open source components they use because fixes are usually only provided on a few versions, she said.

“With the success of the Equifax breach, it’s likely that malicious attackers will be excited to see another Struts 2 vulnerability,” said DeMartine. “Firms can employ such tools as security analytics platforms to speed detection, investigation and response to threats. Vendors such as BAE Systems, E8 Security, Fortinet, Hewlett Packard Enterprise (HPE), Huntsman Security, IBM, Intel Security, LogRhythm, RSA, Securonix and Splunk all have security analytics platforms.”