Today, the Apache Software Foundation announced a critical remote code execution vulnerability in Apache Struts, a popular open source framework for developing web applications in the Java programming language. Applications developed using Apache Struts are potentially vulnerable. The vulnerability (CVE-2018-11776) was identified and reported by Man Yue Mo from the Semmle Security Research Team, which works to find and report critical vulnerabilities in widely used open source software.

Organizations and developers who use Struts are urgently advised to upgrade their Struts components immediately. Previous disclosures of similarly critical vulnerabilities have resulted in exploits being published within a day, putting critical infrastructure and customer data at risk.

Mitigation

This new remote code execution vulnerability affects all supported versions of Apache Struts 2. A patched version has been released today. Users of Struts 2.3 are strongly advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. The vulnerability is located in the core of Apache Struts. All applications that use Struts are potentially vulnerable, even when no additional plugins have been enabled.

Remote code execution vulnerabilities are commonly considered to be the most severe type of security issue, as they allow attackers to take control of a vulnerable system. This can provide a hacker with an entry point into your corporate networks, and can put both infrastructure and data at risk. Struts applications are often facing the public internet, and in most situations an attacker does not require any existing privileges to a vulnerable Struts application in order to launch an attack against it. To make matters worse, it is very easy for an attacker to assess whether an application is vulnerable, and it is likely that dedicated scanning tools will be available soon. Such tools will enable a malicious actor to quickly and automatically identify vulnerable applications.

Whether or not a Struts application is vulnerable to remote code execution largely depends on the exact configuration and architecture of the application. For more details, please see the section "Was I vulnerable?" below. Note that even if an application is currently not vulnerable, an inadvertent change to a Struts configuration file may render the application vulnerable in the future. You are therefore strongly advised to upgrade your Struts components, even if you believe your configuration not to be vulnerable right now.

Struts: a popular web framework for enterprises under attack

Apache Struts is widely used by enterprises globally, with estimates suggesting that in 2017 at least 65 percent of the Fortune 100 companies relied on web applications built with the Apache Struts framework. Moreover, it is estimated that 57 percent continue to expand their use of Apache Struts this year, by downloading vulnerable versions of the software.

Less than a year ago, the Semmle Security Research Team announced a similar remote code execution vulnerability in Apache Struts: CVE-2017-9805. Within days of that announcement, Equifax disclosed that records containing personal details of 147 million consumers were breached, because they had failed to patch a similar Apache Struts vulnerability that was published earlier that year (CVE-2017-5638). Equifax estimates that the total cost of the breach amounts to “well over $600 million.”

The widespread use of Struts by leading enterprises, along with the proven potential impact of this sort of vulnerability, illustrate the threat that this vulnerability poses.

Pavel Avgustinov, VP of QL Engineering at Semmle, explains that it is critical to act now and upgrade any Struts application:

Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit. A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk. Pavel Avgustinov Co-founder & VP of QL Engineering at Semmle

About the discovery

The vulnerability was found by Semmle security researcher Man Yue Mo, using Semmle QL technology for writing queries that enable deep semantic code analysis. QL lets security researchers write queries that search for intricate data flow paths. In the case of this vulnerability, the Semmle Security Research Team discovered how user-provided input is insufficiently validated before it is evaluated, resulting in a remote code execution vulnerability.

Man Yue Mo confirms the criticality of his finding:

This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers. On top of that, the weakness is related to the Struts OGNL language, which hackers are very familiar with, and are known to have been exploited in the past. On the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September. Man Yue Mo Security Researcher at Semmle

To read more about how Mo used Semmle QL technology on LGTM.com to find this vulnerability, read his blog post on the LGTM blog. To read more about the Apache Struts vulnerability that was discovered by the Semmle Security Research Team last year (CVE-2017-9805), read last year's announcement post.

Disclosure timeline of CVE 2018-11776

10 April 2018: initial private disclosure by Man Yue Mo to the Apache Struts Security Team.

initial private disclosure by Man Yue Mo to the Apache Struts Security Team. 25 June 2018: the Apache Struts team published the code change that patches this vulnerability.

the Apache Struts team published the code change that patches this vulnerability. 22 August 2018: new versions of Struts released: 2.3.35 and 2.5.17; public announcements by the Apache Struts team and the Semmle Security Research Team.

Responsible disclosure

The Semmle Security Research Team takes responsible disclosure very seriously. As with any other security vulnerability, the team has worked closely with the Struts developers to ensure an effective patch is made available as quickly as possible. For more information about our security team, the research they do, and the disclosure policy, visit semmle.com/security.

Was I vulnerable?

This vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework. Due to the fact that this vulnerability affects the core of Struts, there exist multiple separate attack vectors. At the moment, we are aware of two such vectors, which we describe in more detail below.

For your application to be vulnerable to the attack vectors described below, both of the following conditions should hold:

The alwaysSelectFullNamespace flag is set to true in the Struts configuration. Note that this is automatically the case if your application uses the popular Struts Convention plugin. Your application uses actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. “ /* ”). This applies to actions and namespaces specified in the Struts configuration file (e.g. <package namespace="main"> ), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin.

If your application’s configuration does not meet these two conditions, you are likely not vulnerable to the two attack vectors described below. However, new attack vectors that apply to different configurations may be discovered in the near future.

If your application configuration does meet the two conditions mentioned above, it may be vulnerable to the following attack vectors:

Attack vector A: result without a namespace

Three Struts result types are unsafe when used without a namespace. Results can be defined either in the Struts configuration file or in Java code (if the Struts Convention plugin is used). The following three result types are vulnerable:

Redirect action: an action that redirects the visitor to a different URL. See the documentation for redirectAction in Struts

an action that redirects the visitor to a different URL. See the documentation for in Struts Action chaining: a method to chain multiple actions into a defined sequence or workflow. See the documentation for chain in Struts

a method to chain multiple actions into a defined sequence or workflow. See the documentation for in Struts Postback result: renders the current request parameters as a form which immediately submits a postback to the specified destination chain or postback. See the documentation for postback in Struts

For example, the following struts.xml configuration is potentially vulnerable:

< struts > < package > < action name = "a1" > < result type = "redirectAction" > < param name = "actionName" > a2.action </ param > </ result > </ action > </ package > </ struts >

Attack vector B: the use of url tags in templates

Apache Struts supports page templates inside <result> tags in the Struts configuration. The use of url tags in such pages is potentially unsafe if the template is referred to from a package that does not provide a namespace attribute (or specifies a wildcard namespace). For example:

< package namespace = "/*" > < action name = "help" > < result > /WEB-INF/help.jsp </ result > </ action > </ package >

Your application is vulnerable if the template contains an <s:url ...> tag without an action or value attribute. For example, the following <s:url ...> tag (taken from the Struts URL documentation) is vulnerable:

< s:url includeParams = "get" > < s:param name = "id" value = "%{'22'}" /> </ s:url >

More information about namespace injection

Attackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request. The value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string. OGNL (“Object-Graph Navigation Language”) is a powerful domain-specific language that is used to customize Apache Struts’ behavior.

The Semmle Security Research Team has constructed multiple OGNL payloads and shared details with the Apache Struts team. At this stage, we are not releasing more details of the exact OGNL strings that trigger this vulnerability and allow remote execution of arbitrary code.

Use Semmle technology to keep your code safe

Semmle LGTM finds security vulnerabilities and other critical bugs in codebases and software portfolios. LGTM is powered by Semmle’s QL technology that allows writing queries for deep semantic code search. In the last year, the security team has discovered a large number of security vulnerabilities in open source projects and enterprise codebases using QL and LGTM.com.

Both LGTM and QL technology are free to use for open source projects on LGTM.com. At the time of this disclosure, LGTM.com is constantly analyzing every commit of more than 82,000 open source projects. Project teams from organizations including NASA and Google rely on LGTM.com, while closed source codebases within these organizations are analyzed by Semmle’s enterprise product range.

About Semmle

Semmle secures the software that runs the world, with analytics developers love and CIOs trust. Software engineering and security teams at Credit Suisse, Dell, Google, Microsoft, NASA and Nasdaq depend on the Semmle analytics platform to create more reliable and trustworthy code without slowing down. Headquartered in San Francisco, Semmle is a privately held company funded by Accel, with additional offices in Copenhagen, New York City, Oxford, Seattle and Valencia.

Contact information

If you would like to speak to us about this vulnerability, please contact us at security@semmle.com, or reach out on Twitter: @Semmle