[BreachExchange] Critical Apache Struts flaw just waiting to be exploited; PoC reported in the wild

[Destry Winant]

https://securityboulevard.com/2018/08/critical-apache-struts-flaw-just-waiting-to-be-exploited-poc-reported-in-the-wild/

Organizations relying on the Apache Struts framework should patch
their servers ASAP, or at the very least ensure the namespace is
always set within their infrastructure, as cybercrooks already have a
proof-of-concept (PoC) at their disposal.

A critical flaw in Apache Struts discovered by Semmle security
researcher Man Yue Mo reportedly has a working PoC that has been
leaked into the wild. Recorded Future researchers say they’ve even
heard chatter about a working exploit on a number of Chinese and
Russian underground forums.

An advisory by the Apache Software Foundation’s wiki details the
vulnerability in question, and how it can be exploited:

“It is possible to perform a RCE attack when namespace value isn’t set
for a result defined in underlying configurations and in same time,
its upper action(s) configurations have no or wildcard namespace,”
says the advisory. “Same possibility when using url tag which doesn’t
have value and action set and in same time, its upper action(s)
configurations have no or wildcard namespace.”

Affected versions include Struts 2.3 through 2.3.34 and Struts 2.5
through 2.5.16. The unsupported Struts versions may also be affected,
the Foundation warns. Struts users are urged to upgrade to Apache
Struts version 2.3.35 or 2.5.17.

A temporary workaround is also offered to those who rely on Struts for
critical operations:

“Verify that you have set (and always not forgot to set) namespace (if
is applicable) for your all defined results in underlying
configurations. Also verify that you have set (and always not forgot
to set) value or action for all url tags in your JSPs. Both are needed
only when their upper action(s) configurations have no or wildcard
namespace,” according to the Apache Software Foundation.

Infosec fans will remember that the disastrous Equifax breach in 2017
was also the result of an unpatched Apache Struts installation.
However, this new flaw is even easier to exploit, because it doesn’t
require additional plugins running, researchers said.

A study by enterprise content delivery company Kollective has found
that 27% of US enterprises take months to install vital security
updates. This is especially true for  large organizations, with 45% of
those with more than 100,000 endpoints waiting at least a month before
installing critical updates.