2 min read

Critical Apache Struts flaw just waiting to be exploited; PoC reported in the wild

Filip TRUȚĂ

August 27, 2018

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Critical Apache Struts flaw just waiting to be exploited; PoC reported in the wild

Organizations relying on the Apache Struts framework should patch their servers ASAP, or at the very least ensure the namespace is always set within their infrastructure, as cybercrooks already have a proof-of-concept (PoC) at their disposal.

A critical flaw in Apache Struts discovered by Semmle security researcher Man Yue Mo reportedly has a working PoC that has been leaked into the wild. Recorded Future researchers say they”ve even heard chatter about a working exploit on a number of Chinese and Russian underground forums.

An advisory by the Apache Software Foundation”s wiki details the vulnerability in question, and how it can be exploited:

“It is possible to perform a RCE attack when namespace value isn’t set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace,” says the advisory. “Same possibility when using url tag which doesn”t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.”

Affected versions include Struts 2.3 through 2.3.34 and Struts 2.5 through 2.5.16. The unsupported Struts versions may also be affected, the Foundation warns. Struts users are urged to upgrade to Apache Struts version 2.3.35 or 2.5.17.

A temporary workaround is also offered to those who rely on Struts for critical operations:

“Verify that you have set (and always not forgot to set) namespace (if is applicable) for your all defined results in underlying configurations. Also verify that you have set (and always not forgot to set) value or action for all url tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace,” according to the Apache Software Foundation.

Infosec fans will remember that the disastrous Equifax breach in 2017 was also the result of an unpatched Apache Struts installation. However, this new flaw is even easier to exploit, because it doesn”t require additional plugins running, researchers said.

A study by enterprise content delivery company Kollective has found that 27% of US enterprises take months to install vital security updates. This is especially true for large organizations, with 45% of those with more than 100,000 endpoints waiting at least a month before installing critical updates.

 

tags


Author


Filip TRUȚĂ

Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.

View all posts

You might also like

Bookmarks


loader