On 2018 August 22, Apache Struts Project has released a critical security patch for a remote code execution (RCE) vulnerability which has been assigned CVE-2018-11776, and which affects the following versions of Apache Struts:
- 2.3 to 2.3.34
- 2.5 to 2.5.16
Upgrade now! For tCell users, make sure you have protections enabled for command executions preventing commands being executed on the host operating system.
Apache Struts Details
First reported by Man Yue Mo of Semmle, his vulnerability involves Struts passing unsanitized user data to OGNL which enables an attacker to craft an RCE. If you feel a sense of deja vu at the words “Struts” and “OGNL,” that isn’t surprising. A similar vulnerability led to Equifax’s highly-publicized breach last year, https://nvd.nist.gov/vuln/detail/CVE-2017-5638
In fact, the history of OGNL bugs in Apache Struts goes back at least a decade. A quick search on https://www.cvedetails.com/ yields CVE-2008-6504. Over the years, more serious ones were found, a partial list is as follows:
In the case of CVE-2017-5638, this was unsanitized input coming from the Content-Type HTTP request header. In the case of CVE-2018-11776, it involves Struts mishandling of user-controlled that is subject to evaluation as OGNL expressions. An application is vulnerable if two conditions (from the Semmle blog: https://semmle.com/news/apache-struts-CVE-2018-11776):
- SelectFullNamespace is set to true in the Struts configuration. Note that this is automatically the case if your application uses the popular Struts Convention plugin.
- Your application uses actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. “/*”). This applies to actions and namespaces specified in the Struts configuration file (e.g. <package namespace="main">), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin.
Other situations where the application can be vulnerable include the following (ibid):
- Redirect action: an action that redirects the visitor to a different URL.
- Action chaining: a method to chain multiple actions into a defined sequence or workflow.
- Postback result: renders the current request parameters as a form which immediately submits a postback to the specified destination chain or postback.
- Apache Struts supports page templates inside <result> tags in the Struts configuration. The use of url tags in such pages is potentially unsafe if the template is referred to from a package that does not provide a namespace attribute (or specifies a wildcard namespace).
How tCell Helps with Apache Struts
tCell focuses in part of preventing entire classes of exploits known and unknown. In this case, what an attacker will do with this vulnerability is establish control of the system by running a Runtime.exec() call with the desired system command. Through tCell controls, one can monitor all executions of Runtime.exec() including the arguments. Further, one can whitelist expected commands that tCell has detected, or prevent all executions from happening if desired. Similar preventions exist on other languages, such as Ruby and Python, which have their own serialization-based RCE’s.
Given the vulnerabilities reported over the years, this is an excellent illustration of the difficulty in ensuring that user-controlled content does not reach evaluating functions unsanitized. Semmle has a powerful approach for finding such vulnerabilities in the code, and such advances in technology is promising. However, there is no silver bullet for these things. Security requires a multi-faceted approach not only code analysis/testing, but also runtime monitoring and protections provided by tCell.
Check out a webinar we did on RCE to see how we defend against it.
A POC is available here to see examples of exploits: https://github.com/jas502n/St2-057
A description of how the vulnerability was discovered can be found here: https://lgtm.com/blog/apache_struts_CVE-2018-11776
The timeline for this vulnerability is as follows (ibid):
- 10 April 2018: initial private disclosure by Man Yue Mo to the Apache Struts Security Team.
- 25 June 2018: the Apache Struts team published the code change that patches this vulnerability.
- 22 August 2018: new versions of Struts released: 2.3.35 and 2.5.17; public announcements by the Apache Struts team and the Semmle Security Research Team.