[SingCERT] Alert on Apache Struts2 Remote Code Execution Vulnerability

Published on Friday, 14 July 2017 16:33

Background
Apache Struts is a popular, free, open-source web application framework for developing Java web applications. Struts is well-known for its extensible "plug-in" architecture.

On 9th July 2017, the Apache Software Foundation announced that a high-risk security vulnerability (S2-048) was discovered in its Apache Struts project, which allows possible remote code execution (RCE) in Struts 2.3.x with Struts 1 plugin and Struts 1 action. 

Impact
An attacker can perform an RCE attack on an Apache Struts web application server when the Struts 2 in Struts 1 Plug-in is enabled by crafting malicious field values as a part of the error message in the ActionMessage class. Details of the vulnerability is explained in CVE-2017-9791 (see links below). Associated proof of concept exploit code has been observed and posted online at hacker forums, thus many unpatched Internet-facing Apache Struts web application servers are at risk.

Affected Versions
Web application servers using the following Apache Struts 2.3.x versions are affected:

  • 2.3.32
  • 2.3.31
  • 2.3.30
  • 2.3.29
  • 2.3.28
  • 2.3.24
  • 2.3.20
  • 2.3.16
  • 2.3.15
  • 2.3.8
  • 2.3.7
  • 2.3.5
  • 2.3.1

Recommendations
System administrators are strongly advised to upgrade the affected Apache Struts versions immediately to the patched release most closely related to the current version.

Other Workarounds

  • Disable the Struts 2 in Struts 1 Plug-in if it is not necessary. Move the struts2-struts1-plugin-2.3.x.jar file from the “/ WEB-INF / lib” directory to another folder or delete it.
  • Always use resource keys instead of passing a raw message to the Action Message as shown below and never pass a raw value directly.

For example, like this:

messages.add("msg", new ActionMessage("struts1.gangsterAdded", gform.getName()));

And never like this:

messages.add("msg", new ActionMessage("Gangster " + gform.getName() + " was added"));

References
Announcement: http://struts.apache.org/announce.html#a20170707
CVE-2017-9791: http://struts.apache.org/docs/s2-048.html