1. Overview
Apache Struts2 is a JAVA-based web application development framework, and this section summarizes the results of our analysis of remote code execution (RCE) vulnerabilities that can occur in web applications using the framework.
2. Attack Types
This section analyzes the attack types for four CVEs among the various Apache Struts2 RCE vulnerabilities.
1) CVE-2017-9805
The REST plugin of Apache Struts2 uses the XStream plugin to serialize/deserialize XML requests. The deserialization is performed without any validation of user input values, which can be exploited by an attacker to send serialized malicious code to arbitrary APIs that the REST plugin performs.
2) CVE-2017-12611
Apache Struts2 uses an open-source HTML template engine called FreeMarker to dynamically generate HTML. If a page in FreeMarker utilizes tags that express fixed (literal) or coerced values, it is possible to access variables within those tags as request parameters, inject an OGNL expression, and send it to execute malicious code.
3) CVE-2018-11776
In Apache Struts2, there is a group of internal application behaviors called namespace. Assuming a web application works without specifying a namespace or uses a wildcard namespace such as /*, if Struts cannot find the requested namespace, it will think it is a custom namespace and evaluate it as an OGNL expression, which can be exploited to execute malicious code.
4) CVE-2020-17530
Similar to CVE-2019-0230, this attack occurs in JSP pages when developers use the %{} syntax in tag attributes to force OGNL evaluation. Apache Struts2 patched the CVE-2019-0230 vulnerability by adding OGNL execution-related packages to blacklist filtering, while CVE-2020-17530 allows OGNL code to be executed by initializing the blacklist using an instance of the org.apache.tomcat package.
3. Response
1) CVE-2017-9805
Respond by updating Apache Struts to version 2.5.13 / 2.3.34 or later. If updating is not possible, the official Struts recommendation is to modify the struts-plugin.xml data content to allow only JSON to be used instead of XML, which is where the vulnerability occurs.
Our AIWAF product detects attack syntax that exploits this vulnerability with the pattern
2) CVE-2017-12611
Respond by updating to Apache Struts version 2.5.12 / 2.3.35 or later. If updating is not possible, you should only initialize the value to getter properties that are read-only properties or avoid using FreeMarker itself.
Our AIWAF product detects attack syntax that exploits this vulnerability with the pattern
3) CVE-2018-11776
Respond by updating to Apache Struts version 2.3.35 / 2.5.17 or later.
Our AIWAF product detects attack syntax that exploits this vulnerability with the
4) CVE-2020-17530
Respond by updating to Apache Struts version 2.5.26 or later.
Our AIWAF product detects attack syntax that exploits this vulnerability with the
4. Conclusion
Apache Struts2 vulnerabilities are constantly being discovered and updates are constantly being released, so it's important to check and update your Apache Struts2 security on a regular basis.
In our AIWAF product, we have developed many patterns to respond to vulnerabilities in Apahce Struts2, and we will continue to respond to Apache Struts2-related vulnerabilities as they are discovered.
5. references
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12611
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17530>
