Blog
08.28.2018

With Apache Struts Vulnerabilities, Never Throw Caution to the Wind

Apache Struts framework vulnerabilities continue to emerge.

Even if you are on top of Apache vulnerability patching, your website could still be in jeopardy if it was developed using the Apache Struts 2 Framework. A new related patch was recently announced. And as we saw with Equifax, many organizations are not on top of patching. Today more than 45% of websites that are critical to business run java-based web applications developed using the Struts framework. Like any code, if you research it enough, you are likely to find the cracks and vulnerabilities. The Apache Software Foundation announced a fix for a critical remote code execution vulnerability found in Apache Struts core code that could allow attackers to take full control of the application. Here we go with another high-priority patch.

About Apache Struts CVE 2017-11778

The recent Struts 2 vulnerability is exposed on servers running Struts under certain configuration conditions and can be triggered by visiting a specially crafted URL. Using Object-Graph Navigation Language, commonly used to customize Apache Struts behavior, attackers can effectively inject their own namespace as a parameter in an HTTP request and ultimately allow remote execution of malicious code. The main problem is that user-provided input is insufficiently validated, resulting in a remote code execution vulnerability.

If your application meets both conditions described below, it is likely vulnerable.

Condition 1: The alwaysSelectFullNamespace flag is true. Condition 2: actions are configured without specifying namespace or use wildcard.

How the Attack Manifests

Attackers can easily scan public facing websites to identify vulnerable applications. Threat vectors can then be used to affect the <results> tag which is key to executing desired business logic of the application. Struts comes with a number of predefined result types that can be altered in the Struts configuration file or in Java code. Researchers have discovered that the three Struts result types given below are unsafe when used without a namespace, and give control to attackers.

Vulnerable Struts result types

     Redirect action: an action that redirects the visitor to a different URL.

     Action chaining: a method to chain multiple actions into a defined sequence or workflow.

     Postback result: renders the current request parameters as a form which immediately submits a
postback to the specified destination chain or postback.

PROTECTION AND MITIGATION

Researchers are urging organizations to upgrade Struts components immediately as they continue with analysis of the vulnerability. With the recent vulnerability announcement, which is designated as CVE-2017-11776, users may have days, at most, to patch before attackers attempt an exploit. We learned from the Equifax breach just how quickly flaws may be targeted once publicized.

Effected Apache Versions

All Apache customers should upgrade to the latest version and employ security patches within 24 hours of availability.

If you are running … Upgrade to…
Struts 2.3.x         |       Struts 2.3.35
Struts 2.5.x         |       Struts 2.5.17

Often security teams will seek to remedy vulnerabilities by virtual patching using a solution like a web application firewall (WAF). With a WAF, custom security rules or scripts can be created to detect malicious namespace values or content-type values and block attacks targeted at the vulnerability. In many cases, tailoring of scripted rules using a wide variety of HTTP request attributes is the only means to meet specific web security concerns immediately. Creating such rules can be very demanding on resources and may require outside expertise and further testing. Additionally, input validation on malicious XSS, SQL Injection or Command Injection payloads that accompany the related threat is often very limited with a WAF, especially as attackers employ varying methods to overcome security for the vulnerability. Today’s attackers have a choice between payload bearing attacks and evasive fileless exploits that leverage Java Runtime to build attacks on the application, evading WAF detection altogether.

The Virsec patching remedy

Organizations that are already protecting web applications and websites with Virsec Security Platform can resume their normal upgrade schedule with confidence that protections are already in place to avert risk associated with the Apache Struts vulnerabilities discussed and others, during the gap before the vendor patch is applied and no matter how sophisticated the exploit may be.

Virsec Security Platform (VSP) secures vulnerable Apache Struts web services at risk to known and unknown vulnerability exploits. Virsec is designed to preemptively patch web-facing applications with a deterministic approach to real-time threat detection that does not require custom rules configuration or scripting. Virsec goes beyond value checking of HTTP attributes to uniquely monitor application processes down to the memory level, even Java Runtime as the payloads get assembled, and ensure that business logic and control flow paths are not compromised. Virsec maintains full visibility into what the java processbuilder is doing to detect attacks and protect against them with very high fidelity.

Using Virsec’s patented Trusted Execution™ technology, the platform examines user inputs and the full transaction pipeline, analyzes processes within core processor-memory functions and validates libraries and file systems, all in real time. Because Trusted Execution focuses on the known, acceptable behavior of an application, it accurately detects and protects against known vectors including uncommon redirects, action chaining and ‘postback’ results, and unknown evolving threat types. Virsec capabilities and its deep visibility into the full application structure enables instant identification of code tampering, complex injections, DLL attacks, memory corruption and unauthorized branching within instruction sets. All of this is done without extensive provisioning steps, machine learning, or sandboxing on the effected Apache server. Going forward, if you are tasked with reducing operational risk, improving patching cadence and mitigating evolving exploits on Apache Struts vulnerabilities, Virsec may be a great tool to add to the security program and to help those on the security team sleep at night.

About Apache Struts CVE 2017 5638

This apache struts vulnerability was discovered in the Apache Struts 2 framework. At least two known public exploits exist for this apache struts 2 vulnerability, which allows unauthenticated, remote code execution on the server. Exploits have already been spotted against campus systems.  

What Is Apache Struts?

Originally created in May 2000 and donated to the Apache Foundation, Apache Struts is an open-source web application framework used for developing Java EE web applications. The attacks first aimed at the unpatched Apache Struts vulnerability were zero day exploits.

Zero Day Exploits
Zero day exploits or vulnerabilities (aka zero-hour, day zero or 0day exploits) are defined as undisclosed software vulnerabilities that hackers can take advantage of or exploit with malicious code* to negatively affect computer programs, applications, data, additional computers or networks.
*Attackers using zero day exploits often insert malicious code in their attacks. But newer attacks known as fileless or memory attacks, do not place detectable malware on the victim’s system, making them much more difficult to discover.

For more information on how Virsec can help secure your enterprise web applications see our Solution Brief: Protection Against Advanced Web Attacks.

Resources: Semmle Discovers Critical Remote Code Execution Vulnerability in Apache Struts (CVE-2018-11776)

Apache Issues Emergency Struts Patch to Fix Critical Flaw (Aug, 23, 2018)