Oracle's patch update includes 98 security fixes
Oracle's patch update includes 98 security fixes

The Apache Struts Software Foundation has released an update to its open-source web application framework to fix a critical remote code execution vulnerability that allows attackers to seize control of any server running REST applications built with its product – even those protected behind firewalls.

Developers use Apache Struts to build enterprise-wide Java EE web applications. The bug, which affects all versions of the framework since 2008, was discovered in July by Man Yue Mo, a security researcher at lgtm, a company that provides free software engineering analytics to open-source projects.

Officially designated CVE-2017-9805, the flaw exists due to an unsafe deserialisation process, by which unsanitised data is deserialised into a Java object, including data from HTTP requests or other socket connections, Mo explains in a threat analysis published on Tuesday. lgtm has a working exploit for the vulnerability that requires merely a web browser to execute, but the company is not publishing it at this time. 

Semmle and lgtm are warning that similar past exploits have resulted in customer record theft and operational disruption. "At the time of the announcement, there is no suggestion that an exploit is publicly available, but it is likely that there will be one soon," the analysis states. 

The general release of Struts version 2.5.13 addresses this vulnerability, along with two denial-of-service bugs, and introduces a variety of additional improvements, the Apache Struts Software Foundation announced on Tuesday.

Struts users are urged to update their product right away. "This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability, it can critically damage thousands of enterprises," said Oege de Moor, CEO and founder of Semmle, lgtm's parent company, in a blog postwritten by Semmle product manager Bas van Schaik.

In his company's blog post, Mo notes in the Struts is used to develop a wide variety of customer-facing web applications, including those used for internet banking and airline booking, for instance.

The post also quotes a CISO from an unnamed tier-one banking institution, who had said prior to the fix that the vulnerability could have been worse than the infamous POODLE SSL attack exploit because it would be complicated to remediate and would require code changes before a patch could be applied. Fortunately, the Struts security team was quick to produce a solution, Mo notes in his analysis, that "even though it is a fairly non-trivial task that requires API changes."

SC Media has reached out to the Apache Struts team for additional comments.

Tod Beardsley, research director at Rapid7, emailed SC to comment, "Deserialisation of untrusted user input (also known as CWE-502) is a somewhat well-known vulnerability pattern, and I would expect a public proof-of-concept exploit to surface well before most enterprises have committed to a patch, given the complications that this patch introduces.


"The problem with deserialisation vulnerabilities is that, application code often relies precisely on the unsafe deserialisation routines being exploited -- therefore, anyone who is affected by this vulnerability needs to go beyond merely applying a patch and restarting the service, since the patch will make changes to how the underlying application will treat incoming data. Apache mentions this in the "Backward Compatibilty" section of S2-052. Updates that mention, "it is possible that some REST actions stop working" is enough cause cold sweats for IT operations folks who need to both secure their infrastructure and ensure that applications continue to function normally.

"Organisations that rely on Struts to power their websites need to start that application-level testing now so as to avoid becoming the next victims in a wave of automated attacks that leverage this vulnerability."