Buckle Up! Critical Flaw in Apache Struts Puts Web Applications at Risk

Cyber security researchers have discovered a vulnerability in the Apache Struts REST plugin that exposes thousands of web applications to potential cyber attack. Apache Struts is a popular open source framework embedded in many Java applications widely-used by companies of all sizes, making it a popular target for attackers when a vulnerability is discovered.

Oege de Moor, CEO and founder of Semmle (the company behind Igtm – which discovered this new vulnerability), proclaimed, “This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises.”

Alert Logic has confirmed this flaw, developed a working exploit, and is releasing scanning and attack detection coverage as this post was being written. 

You may recall that there was a critical Apache Struts vulnerability just a few months ago as well. Let’s take a look at how this new flaw works, how it could impact you, and what you can do about it.

How Does the Apache Struts XStream Remote Code Execution Flaw Work?

A critical vulnerability was discovered within the Apache Struts RESTful API implementation. The flaw, dubbed “Apache Struts XStream Remote Code Execution,” can potentially enable an attacker to remotely compromise a vulnerable system or take full control of it.

To exploit this vulnerability, an attacker would embed an OS command within a crafted XML Request, which is sent to a listening Apache Struts RESTful API application.  Due to a lack of input sanitization, the XML payload is passed to a deserialize function, which will evaluate and execute the crafted, embedded Java process chain to successfully execute the OS commands. The attacker would not have direct command output response from the target, but an attacker can leverage the vulnerability with relative ease to create secondary access to a target, such as a reverse shell, for further compromise.

There is no authorization required to exploit the vulnerability, so there is no need for the attacker to obtain or compromise credentials. In a nutshell, this flaw is relatively easy to exploit for an attacker that know’s what he or she is doing.

How Does the Apache Struts Vulnerability Affect Me?

If you are running Apache Struts versions 2.1.2 through 2.3.33 or Apache Struts versions 2.5 through 2.5.12 and utilizing the RESTful API plugin, you are at risk.

There are no reports currently of this new Apache Struts vulnerability being exploited in the wild. However, POC (proof of concept) exploits have surfaced, so it’s just a matter of time until attackers begin to take advantage of this flaw to compromise systems.

What Should I Do to Protect My Web Servers from the Apache Struts Vulnerability?

The recommended course of action is to patch or update. Upgrading to version 2.3.34 or 2.5.13 will resolve this issue.

If there is some reason you can’t upgrade to a patched version of Apache Struts, the recommended workaround is to remove the Struts REST plugin when not used. Apache Struts also suggests that you can upgrade only the REST plugin, or limit the scope of functionality of the plugin to only serve xhtml or JSON responses. You can check here for further guidance.

About the Author

Tony Bradley - Senior Manager of Content Marketing for Alert Logic

Tony Bradley

Tony Bradley is Senior Manager of Content Marketing for Alert Logic. Tony worked in the trenches as a network administrator and security consultant before shifting to the marketing and writing side of things. He is an 11-time Microsoft MVP in security and cloud and has been a CISSP-ISSAP since 2002. Tony has authored or co-authored a dozen books on IT and IT security topics, and is a prolific contributor to online media sites such as Forbes and DevOps.com. He has established a reputation for effective content marketing, and building and engaging a community and social media audience.

Connect | Email Me | More Posts by Tony Bradley