Have you deployed security updates yet? Are you vulnerable to the recent threat?
Apache Struts is a popular open-source Java-based web application framework used for developing many enterprise web applications globally. On August 22, 2018, the Apache Foundation released a critical security update for CVE-2018-1176, a remote code execution vulnerability affecting Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. The Apache Foundation has urged everyone to apply the security updates as soon as possible. This vulnerability can enable remote code execution on a server running a vulnerable version of Apache Struts. The method of attack would be through a specially crafted URL sent to the vulnerable system. In most cases, this means no authentication is required to exploit the vulnerability. A successful attack would run code in the security context that Struts is using. In some cases, this could effectively lead to a total compromise of the system.
Impact of Vulnerability
Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. It is possible to perform a RCE attack when namespace value isn’t set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace. Both 2.3.35 and 2.5.17 versions contain the security fixes only, nothing more. No backward incompatibility issues are expected.
- Apache Struts 2.3 – Struts 2.3.34
- Apache Struts 2.5 – Struts 2.5.16
***Note that unsupported Struts versions may also be affected.
The Monetary Authority of Singapore recently released an advisory in relation to recent reports on the new vulnerability found in Apache Struts framework. The vulnerability was reportedly due to a flaw in the validation of user-provided inputs when it is passed to the Apache Struts framework. The Singapore Computer Emergency Response Team (SingCERT) had also issued an advisory on the vulnerability.
Financial Institutions (FIs) may refer to the following link for further information: (https://www.csa.gov.sg/singcert/news/advisories-alerts/alert-on-critical-apache-struts-2-remote-code-execution-vulnerability-cve-2018-11776). FIs may also wish to consider and follow the recommendations provided in the SingCERT Advisory.
MAS Guidance and Recommendations
System administrators and website owners using affected Apache Struts software should upgrade to Apache Struts version 2.3.35 or 2.5.17 immediately as proof of concept exploit code are being posted online and actively abused by attackers to compromise vulnerable websites.
FINANCIAL INSTITUTIONS should take the following actions in a timely manner if the affected software is deployed in the IT environment:
- Apply the patch or upgrade expeditiously after performing impact analysis and testing;
- Review and monitor the network for suspicious activities; and
- Should there be a compromise, FIs should assess the extent of the damage done and report the incident to MAS using the incident reporting template.
What is the next step?
Apache indicates that upgrading Apache Struts to version 2.3.35 or Struts 2.5.17 will fix the current vulnerability. Apache recommends that users, “Verify that you have set (and always not forgot to set) namespace (if is applicable) for your all defined results in underlying configurations. Also verify that you have set (and always not forgot to set) value or action for all url tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace.”
You may be at risk if your site utilizes Apache’s Struts2 framework. This includes sites that rely on third-party inclusions from sites that use Struts applications. If you’re using Struts2 for any aspect of your web presence and want to know more, Apache has disclosed the details of vulnerability. Since even mid-sized organizations must re-mediate thousands of vulnerabilities per month, it is not surprising that it takes so long for application security teams to validate and patch flaws. As a result, many organizations are relying on multiple tools to produce the necessary vulnerability assessment data.
To mitigate the risks associated with third-party server-side vulnerabilities, organizations should ensure regular security updates.Think Security. Think Ahead.