The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.
All web applications using the framework’s REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.
“This particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,” the company wrote in a technical write-up on the vulnerability published on Tuesday in coordination with the release of a patch by Apache Software Foundation (ASF).
“This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises,” said Oege de Moor, CEO and founder of Semmle.
Affected developers are urged to upgrade to Apache Struts version 2.5.13.
The ASF said there is no workaround available for the vulnerability (CVE-2017-9805) in Struts, an open-source framework for developing web applications in the Java programming language.
“The best option (sans an upgrade) is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only,” the ASF wrote in a security bulletin issued Tuesday.
Semmle cites estimates the vulnerability could impact 65 percent of the Fortune 100 companies that use web applications built with the Struts framework.
“Organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and Showtime are known to have developed applications using the framework. This illustrates how widespread the risk is,” Semmle researcher Bas van Schaik wrote Tuesday, citing estimates by analysts at the software developer research firm RedMonk.
Multiple similar vulnerabilities have been reported tied to Struts. Earlier this year, attackers were exploiting a critical Apache Struts vulnerability on Windows servers and dropping Cerber ransomware on the machines.
In March, public attacks and scans looking for exposed Apache webservers were reportedly on the rise after a vulnerability (CVE-2017-5638) in the Struts 2 web application framework was patched and proof-of-concept exploit code was introduced into Metasploit.
Semmle said this most recent vulnerability is caused by the way Struts deserializes untrusted data. Deserialization is the processes of taking structured data from one format and rebuilding it into an object. The processes can be tweaked for malicious intent and has been used in a host of attack scenarios including denial-of-service, access control and remote code execution attacks.
The remote code execution attack Semmle identified is possible when using the Struts REST plugin with the XStream handler to facilitate XML payloads. XStream is a Java library used to serialize objects to XML (or JSON) and back again.
“Lgtm (Semmle’s open-source code analysis tool) identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection,” Semmle said in a second technical analysis of the vulnerability posted Tuesday.
Data contained in one of the arguments (toObject) should be considered “tainted” and “under the control of a remote user and should not be trusted.” This query detects common ways through which user-controlled data flows to a deserialization method, researchers said. “However, some projects use a slightly different approach to receive remote user input,” they said.
Semmle said it has developed a “simple” working exploit for this vulnerability but currently has no plans to disclose it.
“There is no suggestion that an exploit is publicly available, but it is likely that one will soon be,” van Schaik wrote in a blog post.