Apache Struts Vulnerability

Archived current event – v1.2 of post

This was a current event and as such this blog post was subject to change as we performed further supplementary research and analysis.

  • 1.2: Updated to include Struts v1
  • 1.1: Final public release of this blog post
  • 1.0: Initial version

Background

The Struts project released a recent security advisory (April 24th, 2014) for a zero day vulnerability in Struts 2. Previous fixes were released but are insufficient to completely mitigate the risk of this vulnerability.

Additionally a similar vulnerability was identified in Struts 1, which has not had a new release since December 2008 and reached end-of-life in 2013.

CVE references CVE-2014-0094, CVE-2013-0112 and CVE-2014-0113 have been assigned to the vulnerability in Struts 2.  CVE-2014-0114 is assigned to the vulnerability in Struts 1.

Versions of Struts affected / not affected

  • Struts 1.x – 1.3.10 are vulnerable (these are end-of-life)
  • Struts 2.0.0 – Struts 2.3.16.1 are vulnerable
  • Struts 2.3.16.2 (the latest release) is NOT vulnerable

Impact of exploitation

This vulnerability allows manipulation of the Java ClassLoader and could potentially be used to gain remote code execution on vulnerable application servers indiscriminate of operating system.

Recommendations to customers

NCC Group recommends that customers should in the short term:

  • Identify any web applications that use Struts (including third-party applications)
    • This may involve analysis of these third-party applications including the decompilation of WAR archives
    • For identified vulnerable applications consider one of the following courses of action:
      • Upgrade any projects using Struts v1 to a supported framework.
      • For in-house developed applications: upgrade immediately to Struts version 2.3.16.2 if possible.
      • For third-party applications: work with your vendor and deploy patches as soon as they are made available.
      • Where patches are not available apply the mitigations listed in Struts application note S2-021.  Note that these mitigations are not as thorough as the changes included in version 2.3.16.2 and should not be relied upon as a long-term protective measure.
      • Consider deploying network based protective monitoring rules for systems which host web applications based on Struts.

Detecting with Snort rules

Sourcefire VRT rules have been released which include detection for CVE-2014-0094 and CVE-2014-0112; see this Sourcefire blog post for more information.

Further information

For further information:

  • Follow us on twitter @NCCGroupInfosec for notifications of updates to this page
  • Read the official Struts announcements (dated 24th April 2014)
  • If you’re an existing customer please contact your account manager if you require tailored advice and consultancy.

Published date:  12 May 2014

Written by:  David Cannings