Overview
This is a remote code execution vulnerability that affects Apache Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16. The attackers exploit a flaw that improperly validates untrusted user data. Using crafted HTTP requests, the attackers send OGNL expressions. If a certain non-default configuration is enabled, the expressions contained in the URL query can identify resources on the server. This can lead to potential remote code execution.
Details
Apache Struts is a popular open-source MVC framework for Java web applications. This framework inherently lacks input validation. The problem occurs when data flows from a source, such as untrusted user input, and a sink, where the data may be used in unintended ways. For example, data in the sink could be an SQL query. This exposes Apache Struts to a number of vulnerabilities. CVE-2018-11776 in particular relates to a lack of validation of passed on URL values. As OGNL is at the core of Apache Struts, attackers inject OGNL expressions to achieve RCE. OGNL is used to customize the behavior of the framework, giving attackers more capabilities. One reason developers prefer the Struts framework for their projects is its flexibility. The tradeoff for more flexibility is several unvetted non-default configurations. Also, the Apache Struts framework is very extensible with plugins, making it difficult to track configuration changes by the plugins. This vulnerability occurs when alwaysSelectFullNamespace is true. This can be done either by the user or a plugin that needs it. For example, a convention plugin. Once it is set to true, the following must occur for a successful exploit: Results are used without a namespace and simultaneously, its upper package has no namespace. It is also possible if the upper package has a wildcard namespace that is similar to the results. A URL tag is used without a value or action-set, and simultaneously, its upper package has wildcard or no namespace. Since there is no input validation in the Struts framework for the passed on URLs, an attacker can pass on a crafted namespace as a parameter in an HTTP request. The passed on value could be an OGNL string, allowing the attacker to carry out remote code execution.
Affected Environments
Apache Struts is used widely in Fortune 100 and government organizations, making CVE-2018-11776 a widespread vulnerability. The following versions of Apache Struts are affected: Apache Struts 2.3 through 2.3.34 Apache Struts 2.5 through 2.5.16
Remediation
Upgrade to Apache Struts 2.3.35 or 2.5.17
Prevention
Upgrade to Apache Struts 2.3.35 or 2.5.17 Apply vendor-supplied security patches