Published on Friday, 14 July 2017 16:33
Apache Struts is a popular, free, open-source web application framework for developing Java web applications. Struts is well-known for its extensible "plug-in" architecture.
On 9th July 2017, the Apache Software Foundation announced that a high-risk security vulnerability (S2-048) was discovered in its Apache Struts project, which allows possible remote code execution (RCE) in Struts 2.3.x with Struts 1 plugin and Struts 1 action.
An attacker can perform an RCE attack on an Apache Struts web application server when the Struts 2 in Struts 1 Plug-in is enabled by crafting malicious field values as a part of the error message in the ActionMessage class. Details of the vulnerability is explained in CVE-2017-9791 (see links below). Associated proof of concept exploit code has been observed and posted online at hacker forums, thus many unpatched Internet-facing Apache Struts web application servers are at risk.
Web application servers using the following Apache Struts 2.3.x versions are affected:
System administrators are strongly advised to upgrade the affected Apache Struts versions immediately to the patched release most closely related to the current version.
- Disable the Struts 2 in Struts 1 Plug-in if it is not necessary. Move the struts2-struts1-plugin-2.3.x.jar file from the “/ WEB-INF / lib” directory to another folder or delete it.
- Always use resource keys instead of passing a raw message to the Action Message as shown below and never pass a raw value directly.
For example, like this:
|messages.add("msg", new ActionMessage("struts1.gangsterAdded", gform.getName()));
And never like this:
|messages.add("msg", new ActionMessage("Gangster " + gform.getName() + " was added"));