CVE-2018-11776: New Critical Struts Flaw Could Be Worse than Equifax

A new vulnerability has been uncovered – the kind that could turn out worse than the one that triggered the Equifax breach. The vulnerability has been identified as CVE-2018-11776, residing in Apache Strut’s core functionality. It is a remote code execution vulnerability that affects all supported versions of Apache Struts 2.

Last year’s Equifax breach also involved a security flaw in Apache Struts, so the discovery of an even more dangerous loophole is quite alarming. The new vulnerability, CVE-2018-11776, is located in the open source Web framework, and according to security experts it could surpass the damage we witnessed in 2017.

CVE-2018-11776 Technical Overview

This latest Struts vulnerability was discovered by researcher Man Yue Mo who is part of the Semmle research team. CVE-2018-11776 resides in the core functionality of Struts, and it could allow remote code execution when the framework is configured in specific ways.

According to Glen Pendley, deputy CTO at Tenable, the vulnerability doesn’t exist because of configurations but when the system is configured in a certain way, attackers can exploit vulnerabilities in Struts.

As explained by Semmle:

This new remote code execution vulnerability affects all supported versions of Apache Struts 2. A patched version has been released today. Users of Struts 2.3 are strongly advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. The vulnerability is located in the core of Apache Struts. All applications that use Struts are potentially vulnerable, even when no additional plugins have been enabled.

Semmle’s Security Research Team estimated that at least 65% of Fortune 500 companies use Struts in some of their web applications meaning that the flaw could have wide implications across the Internet.

What is worse is that it turns out that the part of (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | authored by Milena Dimitrova. Read the original post at: