PoC code for critical hole in Apache Struts discovered online

PoC targeting critical Apache Struts bug found online

The discovery was made barely two days after the release of a patch that fixes the critical flaw in the web application framework

The discovery was made barely two days after the release of a patch that fixes the critical flaw in the web application framework

Researchers have discovered freely available proof-of-concept (PoC) code that can be used to exploit a critical security hole in the Apache Struts 2 web application framework shortly after the vulnerability was disclosed and the patch was released.

The PoC, “including a Python script that allows for easy exploitation”, was found by threat intelligence company Recorded Future on the software development platform GitHub. The firm also said that it has spotted chatter on underground forums that revolved around the flaw’s exploitation.

The discovery was made only two days after the Apache Software Foundation disclosed the critical remote code execution (RCE) vulnerability in the core of Apache Struts 2 and, at the same time, released a software update to plug the hole. The flaw in the open-source software was discovered in April by software analytics firm Semmle, which then reported it to the Foundation.

According to the Foundation’s advisory, the bug, which is tracked as CVE-2018-11776, affects all supported versions of Apache Struts 2 (version 2.3 to 2.3.34 and version 2.5 to 2.5.16), as well as possibly its unsupported versions.

Users are urged to apply the fix as soon as possible and upgrade to 2.3.35 and 2.5.17, respectively. “Previous disclosures of similarly critical vulnerabilities have resulted in exploits being published within a day, putting critical infrastructure and customer data at risk,” according to Semmle.

“Semmle will not confirm whether the reported PoC that has been published is a working PoC. If it is, attackers now have a quicker way into the enterprise,” the firm’s CEO Oege de Moor was quoted as saying by SC Magazine in response to the reports about the PoC code.

The vulnerability has to do with insufficient validation of user-supplied input data. If successfully exploited, it allows an attacker to execute code of his or her choosing on servers running a vulnerable version of the framework. A “simple, well-crafted URL” is all it takes to obtain access to a vulnerable Apache Struts installation, according to Recorded Future’s Allan Liska speaking to Dark Reading.

A flaw affecting Apache Struts 2 was exploited in the giant Equifax breach that affected over 140 million individuals last year. Unlike the vulnerability that was at the heart of the Equifax debacle, the new flaw can be exploited even in the absence of any additional plugins on the vulnerable Apache Struts 2 installation.

Apache Struts 2 is used by an estimated two-thirds of Fortune 100 companies.

Discussion