Struts 2 Remote Code Execution Vulnerability (S2-057)

Max Pan Lv2Posted 24 Aug 2018 18:59

Apache Wiki recently exposed CVE-2018-11776, a new high-risk remote code execution vulnerability in Struts 2.

What is Apache Struts 2?
Apache Struts 2 is one of the most popular open-source web application frameworks used to develop Java EE web applications. At the core of Struts 2 is WebWork which intercepts user requests and functions as a controller to establish data interaction between model and views. It uses and extends the Java Servlet API to encourage developers to adopt a MVC architecture.

If the value of namespace is not specified when struts-actionchaining.xml is configured and upper action(s) have no namespace or wildcard namespace, remote code execution may occur.
Likewise, if values and actions are not specified when struts-actionchaining.xml is configured and upper action(s) have no namespace wildcard namespace, remote code execution may occur.
Globally, there are over 6,343 Struts 2-based assets available on the Internet.

Vulnerability Reproduction
This introduction above may be a little overly-technical. To offer you an intuitive view of the vulnerability and attack process we have reproduced the vulnerability below.

Version of Struts 2 is between 2.3 and 2.3.34 or between 2.5 and 2.5.16.
Struts-actionchaining.xml is not configured with value of namespace but redirection is configured
We did the following test in a Struts 2 environment with this vulnerability:

The vulnerability may be exploited by constructing an OGNL expression in URL with attributes of name in action tag and ending with action, as shown below:

The OGNL expression is executed after the address is visited, as shown below:

Affected Versions
•    Struts 2.3 - Struts 2.3.34
•    Struts 2.5 - Struts 2.5.16
•    Other unsupported Struts versions.

Remediation Solution
Download or upgrade to the latest Apache patched version (2.3.35 or 2.5.17) by connecting to:
This is a temporary weak workaround that verifies namespace in all XML configurations if upper action(s) have no namespace or wildcard namespace set and verifies in JSP the value and action in all URL tags.
Link: Apache Wiki

Sangfor’s Solution
Sangfor NGAF 8.0.5 integrates a Next Generation WAF engine, which uses systematic analysis approach which can detect all Struts 2 v ulnerabilities and future variants if the WAF policy is enabled properly.
For Sangfor NGAF customers with version older than 8.0.5, please make sure your WAF signature database is above 20171008, and WAF policy in enabled properly.

Like this topic? Like it or reward the author.

Creating a topic earns you 5 coins. A featured or excellent topic earns you more coins. What is Coin?

Enter your mobile phone number and company name for better service. Go

Trending Topics

Board Leaders