Multiple Vulnerabilities in Apache Struts Could Allow for Remote Code Execution
ITS ADVISORY NUMBER:
2020-117
DATE(S) ISSUED:
Friday, August 14, 2020
SUBJECT:
Multiple Vulnerabilities in Apache Struts Could Allow for Remote Code Execution
OVERVIEW:
Multiple Vulnerabilities have been discovered in Apache Struts, the most severe of which could allow for remote code execution. Apache Struts is an open source framework used for building Java web applications. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
THREAT INTELLIGENCE:
Proof of concept exploit code is available on GitHub for CVE-2019-0230.
SYSTEMS AFFECTED:
- Apache Struts versions 2.0.0 through 2.5.20
RISK:
Government:
Large and medium government entities: High
Small government entities: Medium
Business:
Large and medium business entities: High
Small business entities: Medium
Home Users: N/A
DESCRIPTION:
Multiple Vulnerabilities have been discovered in Apache Struts, the most severe of which could allow for remote code execution. Details of these vulnerabilities follows:
- A vulnerability involving malicious OGNL expressions could allow for remote code execution. (CVE-2019-0230)
- A vulnerability that affects the write permissions of file directories could lead to a denial of service. (CVE-2019-0233)
Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
ACTIONS:
- Verify no unauthorized system modifications have occurred on the system before applying the patch.
- After appropriate testing, immediately apply the upgrade to the most recent version of Apache Struts.
- Frequently validate type and content of uploaded data.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
REFERENCES:
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019:0230
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0233