tl;dr: If you use Apache Struts in your environment, PATCH NOW.
Apache Struts is once again in the news for critical bugs in its code and the Apache Software Foundation announced a critical remote code execution vulnerability in the popular open source framework for developing web applications in Java.
The vulnerability, assigned CVE-2018-11776 and first discovered in April of this year is actually a group of vulnerabilities of the same type. In a nutshell, the vulnerability involves the injection of a payload as unvalidated input into a Struts application which is then evaluated and used to cause a remote code execution.
The interesting bit about CVE-2018-11776 is that the findings take advantage of a fairly obscure expression language called OGNL. How obscure is it? Only a few Java based frameworks such as Struts and Spring Web Flow (a sub-project of Spring Framework), among others, actually use OGNL. Using a well crafted OGNL expression as a payload results in a remote code execution on Struts 2.3 to 2.3.24 and 2.5 to 2.5.16.
If this feels familiar, there’s a reason. We’ve all already seen this exact same movie unfold last year with Equifax and CVE-2017-5638. While CVE-2017-5638 has become synonymous with Equifax, this vulnerability had a much broader impact as many web applications out in the wild use Apache Struts. This is why vulnerability identification is so important. A researcher in our Crowd identified CVE-2017-5638 months before the Equifax breach on one of our customers who is a major worldwide financial services company. As a result, the customer remediated the vulnerability before a bad actor could take advantage of it. This customer did not end up on the news and as they say, no news is good news.
This will likely be weaponized in the not too distant future, if it hasn’t’ already. We highly suggest that anyone with Apache Struts in their environment patch immediately.
Ongoing research with Struts is being done on a public GitHub project. If you’re interested in reading more, the full write-up and gory details can be found here. Or, check out this proof of concept which walks through how the vulnerability could be exploited.