Proof-of-concept code found on the GitHub repository could allow attackers to easily take advantage of a recently identified vulnerability in the Apache Struts 2 framework. The vulnerability (CVE-2018-11776), identified earlier this week, could allow an adversary to execute remote code on targeted systems.
On Friday, proof-of-concept code was released on GitHub along with a Python script that allows for easy exploitation, according to Allan Liska, senior security architect with Recorded Future.
“[We have] also detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability,” he wrote in a post.
The bug, which impacts Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16, is tied to an improper validation of input data. The Apache Software Foundation patched the vulnerability for all supported versions of Struts 2. Users of Struts 2.3 are advised to upgrade to 2.3.35 and users of Struts 2.5 need to upgrade to 2.5.17.
Liska said the Apache Struts 2 vulnerability is potentially even more damaging than a similar 2017 Apache Struts bug used to exploit Equifax.
“Unlike that vulnerability, this one does not require any plug-ins to be present in order to exploit it, a simple well-crafted URL is enough to give an attacker access to a victim’s Apache Struts installation and there is already exploit code on Github and underground forums are talking about how to exploit it. The worst part for many large organizations is that they may not even know they are vulnerable because Struts underpins a number of different systems including Oracle and Palo Alto,” Liska said.
The fact that a patch is available to fix the vulnerability should give cold comfort to companies potentially impacted by the flaw.
“The Equifax breach happened not because the vulnerability wasn’t fixed, but because Equifax hadn’t yet updated Struts to the latest version. If this is a true working PoC, then any company who hasn’t had the time to update their software, will now be at even greater risk,” said Oege de Moor, chief executive officer at Semmle.
De Moor said Semmle is not confirming whether the reported PoC is functional.
“If it is [functioning], attackers now have a quicker way into the enterprise,” de Moor wrote in a prepared statement Friday. “There is always a time lag between the announcement of a patch and a company updating its software. There are many reasons why companies can’t update software like Struts immediately, as it is used for many business-critical operations. We aim to give companies a chance to stay safe by working with Apache Struts to make a coordinated disclosure.”