Stop us if you've heard this one: Remote code hijacking flaw in Apache Struts, patch ASAP

Advisory issued over yet another critical security vulnerability

The Apache Foundation is urging developers to update their Struts 2 installations and projects using the code – after a critical security flaw was found in a key component of the framework.

A warning this week from Apache reveals that devs should make sure their websites and other applications are running Struts versions 2.5.12, or later, to protect from exploits of CVE-2016-1000031. The vulnerability, a deserialization error that would allow unsanitized code in a Java Object to run unchecked, was found in the commons-fileupload library.

A miscreant could exploit the flaw to execute remotely on the targeted host, allowing them to potentially seize control of the server, install spyware, and cause other mischief. An attack would typically involve submitting a booby-trapped file to a vulnerable website, and waiting for Struts 2 to inadvertently execute malicious code smuggled inside the document.

"Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload," Apache said in its advisory.

"The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar."

Apache did not say why a bug first cataloged in 2016, judging from its CVE, was only being patched in November of 2018.

While updating to the latest version of Struts will protect future projects from exploitation, projects built with older versions will need to be manually upgraded. Apache said this can be done by adding a dependency to the project:

<dependency>
  <groupId>commons-fileupload</groupId>
  <artifactId>commons-fileupload</artifactId>
  <version>1.3.3</version>
</dependency>

Getting the fix added to all existing projects will likely be a long and tedious process for developers, said SANS network security researcher Johannes Ullrich.

"There is no simple 'new Struts version' to fix this," Ullrich explained. "You will have to swap out the commons-fileupload library manually."

While most netizens will not be familiar with Struts, vulnerabilities in the framework are nothing to scoff at. Bugs in the framework are an increasingly popular target for online exploits.

One such Struts flaw was exploited in 2017 by the attackers who used the bug to get into systems at Equifax and ultimately compromise the personal details of more than 145 million Americans. ®




Biting the hand that feeds IT © 1998–2018