Apache Struts Remote Code Execution Vulnerability

A new vulnerability has been discovered by security researches and some people are saying it could be worse than the one that was used in last year’s Equifax hack. The vulnerability resides in the core functionality of Struts, allowing remote code execution when the framework is configured in certain ways. At least 65% of Fortune 500 companies use Struts in at least some of their Web Applications, therefore it is likely to have wide implications for security across the Internet.

All applications that use Apache Struts – supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) and even some unsupported Apache Struts version are potentially vulnerable to this flaw, even with no additional plugins enabled. Your Apache Struts implementation is vulnerable to the reported RCE flaw if it meets the following conditions:

• The alwaysSelectFullNamespace flag is set to true in the Struts configurations
• Struts configuration file contains an “action” or “url” tag that does not specify the optional namespace attribute or specifies a wildcard namespace.

While the vulnerabilities are real and dangerous, it’s important to note that they require specific configurations to allow an attacker to exploit the vulnerability. It is important that organizations using Struts components upgrade to Apache Struts version 2.3.35 or 2.5.17 as soon as possible.

* There is a weak workaround that can be used before upgrading:

Verify that you have set (and always not forgot to set) namespace (if is applicable) for your all defined results in underlying configurations. Also verify that you have set (and always not forgot to set) value or action for all url tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace.