Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!

Author Topic: SERVER-APACHE Apache Struts remote code execution attempt  (Read 35528 times)

0 Members and 1 Guest are viewing this topic.

nidhinjo

  • Guest
SERVER-APACHE Apache Struts remote code execution attempt
« on: July 21, 2018, 06:20:38 pm »
Summary

A critical vulnerability has been discovered in the Apache Struts web application framework for Java web applications. A remote code execution attack is possible when using the Apache Struts REST plugin with XStream handler to deserialise XML requests.The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads. All versions of Struts since 2008 are affected; all web applications using the framework’s popular REST plugin are vulnerable. Shortly after the patched versions of Struts were released on 5 September, multiple working exploits were observed on various internet sites.

Impact


Attackers can execute arbitrary code remotely by exploiting this vulnerability.
Vulnerable
    >> Apache Struts 2.0.1 - 2.3.33
    >> Apache Struts 2.5 - 2.5.12
    >> All versions of Apache Struts released since 2008

Any security vulnerability can be potentially disastrous, but any that allows Remote Code Execution are especially worrying. This vulnerability is potentially very damaging due to the large number of sites that rely upon this framework. Coupled with the complexities to remediate, as code will have to be changed as opposed to just applying a vendor patch, this has the potential to be worse than the ‘POODLE’ attack was. Finding this highlights the power that static code analysis can bring, and if something this severe can be in such a well known public library, just imagine what it could find in your code base.

Recommendations


>>Upgrade to Apache Struts 2.5.13 immediately.

    No workaround is possible, the best option is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only. Please see Apache Struts Security Advisory S2-052 for details.

    Many popular vendor products utilize Java and the Struts web application framework. If you manage a Java web application, check with your vendor or developer to determine if the application is using Struts and if it is vulnerable. Install any vendor application patches that address CVE-2017-9805 immediate

:)                                                              :)