Who should read this | All Struts 2 developers and Apache Struts users |
Impact of vulnerability | A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialize XML requests |
Maximum security rating | Critical |
Recommendation | Upgrade to Struts 2.5.13 or Struts 2.3.34 |
Affected Software | Struts 2.1.2 – Struts 2.3.33, Struts 2.5 – Struts 2.5.12 |
CVE Identifier | CVE-2017-9805 |
Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It is basically used to build complex web-applications and it also allows easy maintainability and is easily extensible. Hence numerous organizations use Apache Struts prefer to use this web-application development framework. Furthermore, a quick look into the “PoweredBy Struts” pages showcases the popularity of Apache Struts for development. (https://wiki.apache.org/struts/PoweredBy)
The Vulnerability – Apache Struts
Apache Struts suffers from a Remote Code Execution (RCE) vulnerability, which is simpler terms means that when exploited the attacker can execute commands on the web server and take complete control of the Web-Server. Since the Struts Web-Applications are Internet facing, the risk of losing control of the server is immense.
The vulnerability is specifically related to Struts REST Plugin, when it uses XML for exchanging data between the Clients and the Server. The main functionality of the REST plugin lies in the interpretation of incoming request URL’s according to the RESTful rules and uses serialization to convert the data structures or object into a stream of bytes for ease in storing or transmitting, which can then be reconstructed. It is during the process of reconstruction that XStream handler, that can lead to RCE. Although a patch has been provided to patch this vulnerability, and since this impacts the serialization, the developers will now have to rebuild and retest their entire applications, before deploying the same into
Mitigation
Although a patch has been provided to patch this vulnerability, and since this impacts the serialization, the developers will now have to rebuild and retest their entire applications, before deploying the same into a production environment. Alternatively, organizations which are using Apache Struts, but not using the REST Plugin should disable the plugin as to reduce the attack surface.
Vulnerabilities which do not affect the development life-cycle of any third application are the easiest to patch, but with this vulnerability, this is not the case.
The Metasploit module which exploits this vulnerability has also been made available, which ups the risk factor multifold, as the hackers may use it the way it is or may modify the exploit code to suit their needs.
Read more – eScan Blog