A new critical vulnerability has been discovered with Apache Struts 2. A potential remote code execution (RCE) has been found in some configurations of applications based on Apache Struct 2, but not all Struts 2 applications will currently be exploitable. Unlike the last Structs 2 exploit, the time of writing this vulnerability is not known to be being exploited in the wild.
The Semmle Security Research Team that discovered the vulnerability says it has identified two different vectors but warns there may be others. The two known attack vectors are:
The “alwaysSelectFullNamespace” flag is set to true in the Struts configuration – this is going to be a default with most configurations.
Your application’s Struts configuration file contains an <action …> tag that does not specify the optional namespace attribute or specifies a wildcard namespace (e.g. ‘/*’) – again a pretty common occurrence.
Since it can be used remotely and due to the fact that Struts is typically used to create applications that are on the public internet, hackers are going to be especially focused on exploiting it so they can gain access to corporate networks.
Is my organization vulnerable?
SureCloud vulnerability scanning customers can detect this vulnerability now by running scans from the SureCloud platform.
If you are running a web application based on Apache Struts 2, have not applied the relevant patches, and either of the following applies you are currently vulnerable:
- Your application is using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. [1]
- Your application is using url tag which doesn’t have value and action set and in same time, its upper action(s) have no or wildcard namespace.[2]
It is believed that more exploitation routes may be discovered for this bug.
Remediation
Whilst a temporary workaround is possible through configuration updates, the simplest and complete solution is to update immediately to Apache Struts to version 2.3.35 or 2.5.17.
Please be aware that the configuration updates will only fix the known exploitation routes and more routes are believed to exist but have yet to be discovered.