CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks

CVE-2018-11776 RCE in Apache Struts

At the end of August, maintainers of Apache Struts released security updates for the Apache Struts 2 open-source development framework to address a critical remote code execution vulnerability (RCE).

The flaw, tracked as CVE-2018-11776, affects Struts versions from 2.3 through 2.3.34, Struts 2.5 through 2.5.16 and possibly unsupported versions of the framework. Struts versions 2.3.35 and 2.5.17 include the security updates to address this problem.

The Struts development team also published a temporary workaround, but they are recommending users to don’t use it and install as soon as possible the updates.

“Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set,” reads the security advisory published by Apache.

“Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set.”

The flaw is easy to exploit. According to the security advisory, it is possible to trigger the RCE vulnerability when the namespace value isn’t set for a result defined in underlying XML configurations and, at the same time, its upper action configurations have no or wildcard namespace. The flaw could be also exploited when using a URL tag which doesn’t have value and action set and at the same time, its upper action(s) configurations have no or wildcard namespace.

The flaw was discovered on April 10 by the security expert Man Yue Mo from the Semmle Security Research team. While security updates were released on June 25 and on 22 August 2018, the new versions of Struts were released.

“This vulnerability is caused by insufficient (Read more...)