Organizations relying on the Apache Struts framework should patch their servers ASAP, or at the very least ensure the namespace is always set within their infrastructure, as cybercrooks already have a proof-of-concept (PoC) at their disposal.
A critical flaw in Apache Struts discovered by Semmle security researcher Man Yue Mo reportedly has a working PoC that has been leaked into the wild. Recorded Future researchers say they’ve even heard chatter about a working exploit on a number of Chinese and Russian underground forums.
An advisory by the Apache Software Foundation’s wiki details the vulnerability in question, and how it can be exploited:
“It is possible to perform a RCE attack when namespace value isn’t set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace,” says the advisory. “Same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.”
Affected versions include Struts 2.3 through 2.3.34 and Struts 2.5 through 2.5.16. The unsupported Struts versions may also be affected, the Foundation warns. Struts users are urged to upgrade to Apache Struts version 2.3.35 or 2.5.17.
A temporary workaround is also offered to those who rely on Struts for critical operations:
“Verify that you have set (and always not forgot to set) namespace (if is applicable) for your all defined results in underlying configurations. Also verify that you have set (and always not forgot to set) value or action for all url tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace,” according to the Apache Software Foundation.
Infosec fans will remember that the disastrous Equifax breach in 2017 was also the result of an unpatched Apache Struts installation. However, this new flaw is even easier to exploit, because it doesn’t require additional plugins running, researchers said.
A study by enterprise content delivery company Kollective has found that 27% of US enterprises take months to install vital security updates. This is especially true for large organizations, with 45% of those with more than 100,000 endpoints waiting at least a month before installing critical updates.