Last week, we reported about CVE-2018-11776, a new highly critical vulnerability residing in Apache Strut’s core functionality, also described as a remote code execution vulnerability that affects all supported versions of Apache Struts 2. The flaw is located in the open source Web framework, and according to security experts, it could exceed the damage we witnessed last year during the Equifax breach.
Unfortunately, a Proof-of-Concept (PoC) exploit for CVE-2018-11776 has appeared on GitHub, alongside a Python script that enables easy exploitation, Recorded Future researchers just reported.
What Does a Working CVE-2018-11776 PoC Mean?
First of all, researchers say that there have been talks about exploitation of the new Struts vulnerability on a variety of Chinese and Russian underground forums. As explained by the security experts:
Apache Struts is a very popular Java framework and there are potentially hundreds of millions of vulnerable systems that could be exploited by this flaw. The challenge is in identifying how many systems are vulnerable. Because many of the servers running Apache Struts are backend application servers, they are not always easily identified, even by the system owners.
However, this doesn’t necessarily mean the servers are not publicly accessible by hackers. In most cases, scanners will trick servers into returning a Java stack trace as a way of identifying potential Struts servers. But other tricks are also possible such as looking for specific files or directories.
Furthermore, the new Struts vulnerability appears to be easier to exploit because it doesn’t require the Apache Struts installation to have any additional plugins running for the exploit to take place, the researchers added.
The researchers also warned that if the CVE-2018-11776 PoC published on GitHub is indeed a fully functioning one, and companies haven’t patched against it yet, the outcome would be devastating. As to whether the PoC is trustworthy or not, Semmle CEO Oege de Moor [the CEO of the company that discovered the flaw] declined to confirm the nature of the PoC. What he said however is that if it is a working PoC, hackers now have a quicker and a very effective way into an enterprise.
The good news is that if an enterprise is unable to update immediately for a number of reasons, there are still ways to mitigate against the exploit, such as the following workaround:
Verify that you have set (and always not forgot to set) namespace (if is applicable) for your all defined results in underlying configurations. Also verify that you have set (and always not forgot to set) value or action for all url tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace.