Apache Struts is a free and open-source framework used to build Java web applications. We looked into past several Remote Code Execution (RCE) vulnerabilities reported in Apache Struts and observed that in most of them, attackers have used Object Graph Navigation Language (OGNL) expressions. The use of OGNL makes it easy to execute arbitrary code remotely because Apache Struts uses it for most of its processes.
Using OGNL, a researcher found a new remote code execution vulnerability in Apache Struts 2, designated as CVE-2017-5638. An exploit has been reported to be already in the wild.
Remote attacker to inject operating system commands into a web application through the “Content-Type” header. Written in Java, Apache Struts 2 is the popular open source web application framework. This is yet another incident that adds up to a long list of vulnerabilities in this framework.
Different ScenariosThis particular vulnerability can be exploited if the attacker sends a crafted request to upload a file to a vulnerable server that uses a Jakarta-based plugin to process the upload request. The attacker can then send malicious code in the Content-Type header to execute the command on a vulnerable server.
According to Apache, the vulnerability exists in the Jakarta Multipart parser. When an invalid value is placed in the Content-Type header, an exception is thrown. The exception is used to display the error to the user. An attacker can exploit this vulnerability to escape the data scope into the execution scope through the Content-Type header
A vulnerability in Apache Struts could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.The vulnerability is due to improper handling of user requests by the affected software. An attacker could exploit the vulnerability by sending crafted HTTP requests to a server using a vulnerable version of the software. An exploit could allow an attacker to execute arbitrary Object-Graph Navigation Language (OGNL) code on the system.
Affected VersionApache Struts versions 2.0.0 to 2.3.14.2 are vulnerable.
Technical ExplanationThe vulnerability is due to the way action names passed via Wildcard Matching to the server are evaluated by OGNL. The vulnerability allows arbitrary OGNL expressions encoded in a URL to be evaluated, bypassing both struts and OGNL library protections.
An unauthenticated, remote attacker could exploit this vulnerability by sending an HTTP request that contains a crafted action name to the vulnerable software. If successful, the attacker could execute arbitrary OGNL code on the system.
Methode of ApproachTo exploit the vulnerability, the attacker may need access to trusted or internal networks to transmit crafted HTTP requests to the targeted system. This access requirement could limit the likelihood of a successful exploit.
Preventions1) Apply the appropriate updates. Upgrade to Struts 2.3.14.3
2) Allow only trusted users to have network access.
3) Implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.