A new vulnerability has been uncovered – the kind that could turn out worse than the one that triggered the Equifax breach. The vulnerability has been identified as CVE-2018-11776, residing in Apache Strut’s core functionality. It is a remote code execution vulnerability that affects all supported versions of Apache Struts 2.
Last year’s Equifax breach also involved a security flaw in Apache Struts, so the discovery of an even more dangerous loophole is quite alarming. The new vulnerability, CVE-2018-11776, is located in the open source Web framework, and according to security experts it could surpass the damage we witnessed in 2017.
CVE-2018-11776 Technical Overview
This latest Struts vulnerability was discovered by researcher Man Yue Mo who is part of the Semmle research team. CVE-2018-11776 resides in the core functionality of Struts, and it could allow remote code execution when the framework is configured in specific ways.
According to Glen Pendley, deputy CTO at Tenable, the vulnerability doesn’t exist because of configurations but when the system is configured in a certain way, attackers can exploit vulnerabilities in Struts.
As explained by Semmle:
This new remote code execution vulnerability affects all supported versions of Apache Struts 2. A patched version has been released today. Users of Struts 2.3 are strongly advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. The vulnerability is located in the core of Apache Struts. All applications that use Struts are potentially vulnerable, even when no additional plugins have been enabled.
Semmle’s Security Research Team estimated that at least 65% of Fortune 500 companies use Struts in some of their web applications meaning that the flaw could have wide implications across the Internet.
What is worse is that it turns out that the part of the framework that CVE-2018-11776 touches is potentially far more impactful than earlier vulnerabilities. The endpoints are far more widely used, in Pendley’s words.
Semmle researchers co-operated with the Apache Foundation to disclose the flaw in a responsive manner. A set of software updates has also been released, alongside the vulnerability’s public disclosure.
Organizations and developers who use Struts are urgently advised to upgrade their Struts components immediately, Semmle warns. Previous disclosures of other critical vulnerabilities have resulted in exploits being published within a day, putting critical infrastructure and customer data at risk, the company adds.
Last year, millions of American citizens had their social security numbers stolen due to a critical vulnerability exploited in the infamous Equifax Hack. The security breach affected one of the largest credit reporting companies operating in the USA. As a result of the malicious intrusion the hackers behind the attack were able to obtain information on over 40% of the whole country’s population.