The Apache Struts Software Foundation has released an update to its open-source web application framework to fix a critical remote code execution vulnerability that allows attackers to seize control of any server running REST applications built with its product – even those protected behind firewalls.
Developers use Apache Struts to build enterprise-wide Java EE web applications. The bug, which affects all versions of the framework since 2008, was discovered in July by Man Yue Mo, a security researcher at lgtm, a company that provides free software engineering analytics to open-source projects.
Officially designated CVE-2017-9805, the flaw exists due to an unsafe deserialisation process, by which unsanitised data is deserialised into a Java object, including data from HTTP requests or other socket connections, Mo explains in a threat analysis published on Tuesday. lgtm has a working exploit for the vulnerability that requires merely a web browser to execute, but the company is not publishing it at this time.
Semmle and lgtm are warning that similar past exploits have resulted in customer record theft and operational disruption. "At the time of the announcement, there is no suggestion that an exploit is publicly available, but it is likely that there will be one soon," the analysis states.
The general release of Struts version 2.5.13 addresses this vulnerability, along with two denial-of-service bugs, and introduces a variety of additional improvements, the Apache Struts Software Foundation announced on Tuesday.
Struts users are urged to update their product right away. "This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability, it can critically damage thousands of enterprises," said Oege de Moor, CEO and founder of Semmle, lgtm's parent company, in a blog postwritten by Semmle product manager Bas van Schaik.
In his company's blog post, Mo notes in the Struts is used to develop a wide variety of customer-facing web applications, including those used for internet banking and airline booking, for instance.
The post also quotes a CISO from an unnamed tier-one banking institution, who had said prior to the fix that the vulnerability could have been worse than the infamous POODLE SSL attack exploit because it would be complicated to remediate and would require code changes before a patch could be applied. Fortunately, the Struts security team was quick to produce a solution, Mo notes in his analysis, that "even though it is a fairly non-trivial task that requires API changes."
SC Media has reached out to the Apache Struts team for additional comments.
Tod Beardsley, research director at Rapid7, emailed SC to comment, "Deserialisation of untrusted user input (also known as CWE-502) is a somewhat well-known vulnerability pattern, and I would expect a public proof-of-concept exploit to surface well before most enterprises have committed to a patch, given the complications that this patch introduces.