A Vulnerability in Apache Struts Could Allow for Remote Code Execution

ITS Advisory Number: 
2018-086
Date(s) Issued: 
Wednesday, August 22, 2018
Subject: 
A Vulnerability in Apache Struts Could Allow for Remote Code Execution
Overview: 

A vulnerability has been discovered in Apache Struts, which could allow for remote code execution. Apache Struts is an open-source, MVC framework for creating Java web applications. Successfully exploiting this vulnerability could allow for remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service.

THREAT INTELLIGENCE:

There are no reports of these vulnerabilities being actively exploited in the wild.

Systems Affected: 
  • Apache Struts versions prior to 2.3.35

  • Apache Struts versions prior to 2.5.17 

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

A vulnerability has been discovered in Apache Struts, which could allow for remote code execution. Apache Struts is prone to a remote code-execution vulnerability (CVE-2018-11776). Specifically, this issue occurs when handling specially-crafted results with no namespace, or a URL tag without value and action set.

 

Successfully exploiting this vulnerability could allow for remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.

Actions: 
  • Verify no unauthorized system modifications have occurred on the system before applying the patch.

  • After appropriate testing, immediately upgrade to the latest version of Apache Struts.

  • Apply the principle of Least Privilege to all systems and services.

  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.