SBN

This Week in Malware – Special Edition on Protestware and a Struts RCE Deja Vu

This week in malware …. err actually … this week in protestware, let’s call it, and the tale of two-year-old Struts bug that’s returned.

Sonatype continues to see an ongoing trend of developers voluntarily sabotaging their own projects to stand up for issues of public interest they deem paramount.

1. The Return of Apache Struts RCE

As I reported this week, in 2020, Apache Struts project had patched a remote code execution (RCE) vulnerability, tracked as CVE-2020-17530. The vulnerability stemmed from untrusted OGNL Injections and was assigned a CVSS severity rating of 9.8 (Critical).

Although it was previously believed that the issue was squashed in Struts 2.5.26, security researcher Chris McCown found that the fix was incomplete.

The “double evaluation” of OGNL could still very well take place in versions 2.5.26 and above, leading to the assignment of a new vulnerability identifier: CVE-2021-31805, disclosed by Apache this week.

My colleague and security researcher Ali ElShakankiry traced the new fix for CVE-2021-31805 that went into Apache Struts version 2.5.30:

The newly applied fix prevents double evaluation of OGNL expressions crafted from untrusted user input, therefore preventing RCE.

U.S. CISA is urging everyone to upgrade to Struts 2.5.30 or greater to safeguard themselves against this RCE flaw. Users should additionally avoid using forced OGNL evaluation in the tag’s attributes based on untrusted user input.

2. Protestware: an ongoing theme

What’s more? Protestware—cases of maintainers behind popular open source projects sabotaging their own software to make a point continue to ramp up.

Although left-pad’s incident of 2016 seemed isolated at the time, 2022 is turning out to be a whole lot different with the self-sabotage incidents repeating themselves. Below are some of these incidents:

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/this-week-in-protestware-and-tale-of-struts-rce