CIS CYBER SECURITY ADVISORIES
MS-ISAC CYBER SECURITY ADVISORY NUMBER:
Vulnerability in Apache Struts Could Allow Remote Code Execution
A vulnerability has been discovered for Apache Software Foundation Struts versions 2.0.0 - 126.96.36.199. Apache Struts is an open source framework used for building Java web applications. Successful exploitation of this vulnerability could allow for remote code execution. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
At this time, a proof-of-concept is available outlining how to bypass a previous released patch for the latest Apache Struts version 188.8.131.52, and exploit the vulnerability.
- Apache Struts 2.0.0 - 184.108.40.206
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: N/A
A vulnerability has been discovered in Apache Struts versions 2.0.0 - 220.127.116.11 that, when exploited, will first result in a Denial of Service (DoS) condition to bypass a previously released patch issued in version 18.104.22.168. After bypassing the patch, remote code execution becomes possible by allowing for the mapping of shared hosting directories on affected products using impacted versions of Struts. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. The vulnerability is caused when ClassLoader manipulation exploitation occurs because of Struts failure to restrict access to the 'class' parameter which is directly mapped to 'getClass()' method through 'ParametersInterceptor'. This issue was previously thought to have been resolved by updating to version 22.214.171.124, but the patch did not resolve the issue and as a result can be bypassed and exploited.
At this time there is a proof-of-concept showing how to bypass the previous released patch and exploit the latest Struts version 126.96.36.199. Currently, Apache is working on security fix to address the vulnerability, which they expect to be available within 72 hours.
Until the security fix becomes available, mitigation steps have been made available by Apache and can be found at hxxp://struts.apache.org/announce.html#a20140424.
We recommend the following actions be taken:
- Incorporate the mitigation steps found at hxxp://struts.apache.org/announce.html#a20140424.
- Apply the update from Apache, as soon as one becomes available, after appropriate testing.
Nanjing Hanhai source (bypass PoC):