Apache Issues Emergency Struts Patch to Fix Critical FlawSome Security Experts Recommend Replacing Struts Altogether Due to Breach Risk
Warning: The Apache Struts web framework has a critical vulnerability that could be exploited by attackers to take full control of the application.
See Also: The State of the Software Supply Chain
Apache Struts 2 is an open source web application framework that allows users to create Java-based web applications.
Security experts say all users of all versions of Struts should install the patch as quickly as possible.
"The vulnerability is within the core code of Struts, so doesn't need additional modules to have been enabled," says incident response expert David Stubley, who heads Edinburgh-based security testing firm and consultancy 7 Elements. "Basically, if your configuration matches either of two known conditions, then you would be vulnerable."
To get the fix, users of users of Struts 2.3 need to upgrade to version 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17.
The flaw was discovered by the security research team at Semmle, a San Francisco-based software engineering analytics and code exploration provider.
"The vulnerability has been assigned CVE-2018-11776 (S2-057), is exposed on servers running Struts under certain configurations and can be triggered by visiting a specially crafted URL," Semmle security researcher Man Yue Mo, who found the flaw and reported it to Struts, writes in a blog post.
Semmle reports that the flaw can be exploited by using Object-Graph Navigation Language, which is "a powerful domain-specific language that is used to customize Apache Struts' behavior," to write and submit queries to vulnerable Struts applications.
"Attackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request," Semmle says in its analysis of the flaw. "The value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string."
The good news: Full details of how to exploit this flaw have yet to become public.
"The Semmle Security Research Team has constructed multiple OGNL payloads and shared details with the Apache Struts team," it says. "At this stage, we are not releasing more details of the exact OGNL strings that trigger this vulnerability and allow remote execution of arbitrary code."
Struts Users: Patch Now
The Apache patch alert should send all users' information security teams scrambling.
Roses are red— Gallagher (@DanielGallagher) August 23, 2018
Struts is my web app solution
Remote code execution
The cost of delaying the installation of emergency Struts patches can be severe.
Struts, of course, was the software tied to the massive breach of credit bureau Equifax in March 2017 (see Equifax's Colossal Error: Not Patching Apache Struts Flaw).
Timeline: Equifax Breach
The Equifax breach demonstrates that Struts users may have days, at most, to patch flaws before attackers attempt to exploit them. In the case of Equifax, the company had failed to install a patch released by Apache on March 6 to fix a flaw, designated CVE-2017-5638. Just four days later, Equifax was hacked by an attacker who exploited the flaw.
This Struts patch and Equifax breach timeline demonstrates just how quickly such flaws may be targeted.
- Feb. 14, 2017: Struts gets notified of the remote code execution vulnerability.
- March 6: Apache releases a patch for the vulnerability and recommends users immediately update.
- March 7: Exploit for the flaw published to Exploit-DB.
- March 9: Equifax issues internal alert, requiring all Struts installations to be updated within 48 hours.
- March 10: Hacker exploits the flaw to breach Equifax. Over the next three months, the attacker exfiltrates massive quantities of data.
- March 15: Scans run by Equifax's security team fail to flag the vulnerable Struts implementation.
- July 29: Equifax discovers the breach.
- July 30: Equifax patches the Struts flaw.
- Sept. 7: Equifax issues it first public notification about the breach.
Equifax's former CEO, Richard Smith, told a House committee last year that the company's internal policy was to apply all emergency security patches within 48 hours of their being issued. In the case of the Apache Struts patch, the company obviously failed (see Equifax Ex-CEO Blames One Employee For Patch Failures).
In May, Equifax told Congress that based on its latest findings, the breach exposed information on 146.6 million U.S. individuals, as well as 15 million U.K. consumers and 8,000 Canadian consumers.
Apache: Update Struts in Hours or Days
In the wake of reports that Equifax had failed to patch Struts in a timely manner, René Gielen, vice president of Apache Struts, advised all users to ensure they put the appropriate policies and procedures in place, ideally to update their software within hours of a security update being released.
"Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons," Gielen wrote. "Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years."
Widespread Use of Vulnerable Versions of Struts
Indeed, there's widespread use of vulnerable, outdated versions of Struts, Derek E. Weeks, a DevOps advocate at cybersecurity startup Sonatype, which tracks code used by software developers, reported at the RSA Conference in April, held in San Francisco.
From March 2017 through February 2018, nearly 11,000 organizations downloaded a version of Apache Struts that included known flaws, Weeks said in a presentation titled "We Are All Equifax."
"Everyone knows the Equifax story, but for folks like me who have been paying closer attention, the story also includes the Canadian Revenue Agency, Okinawa Power, the Japanese Post, the India Post, AADHAAR, Apple, University of Delaware, and the GMO Payment Gateway," Weeks said in his presentation.
Expert Advice: Stop Using Struts
Some information security experts recommend organizations stop using Struts altogether, for the safety of their networks and data.
Chad Loder, the founder of information security firm Rapid7 who's now CEO of security awareness startup Habitu8, says that based on his extensive data breach investigation experience, organizations should pull the plug on Struts.
I'm lucky enough to have seen lots of non-public details on dozens of high-profile security breaches over the last 15 years. My one takeaway, not a joke - stop using Apache Struts.— Chad Loder (@chadloder) August 22, 2018
"I have to agree," Stubley at 7 Elements tells Information Security Media Group. "My advice would be to migrate to a different technology stack. I've managed numerous incidents where Struts was the vulnerable component that enabled unauthorized access to the underlying server."