Apache Struts 2 has been found with a bug in the core infrastructure of the software. The issue was found by the cybersecurity firm Semmle on April 10 and code patches were released on June 25. The Apache Software foundation is facing security vulnerability as the bug affects all the versions of Apache Struts 2.
Researchers from Semmle, uncovered that the security flaw is caused by the insufficient validation of untrusted user data in the core Struts framework.
As the bug, CVE-2018-11776, has been discovered in the Struts core, the team says there are multiple attack vectors, threat actors could use to exploit the vulnerability.
If the alwaysSelectFullNamespace flag is set to true in the Struts configuration, which is automatically the case when the Struts Convention plugin is in use. Or if a user’s Struts configuration file contains a tag that does not specify the optional namespace attribute or specifies a wildcard namespace, it is likely the build is vulnerable to attack.
“This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers. On top of that, the weakness is related to the Struts OGNL language, which hackers are very familiar with, and are known to have been exploited in the past.” says Man Yue Mo from the Semmle Security Research Team.
The vulnerability will affect all versions of Apache Struts 2. Firms which use the popular open-source framework are urged to update their builds immediately. Users of Struts 2.3 are advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17.
As the latest releases only contain fixes for the vulnerability, Apache does not expect users to experience any backward compatibility issues.
Semmle team mentioned, “Previous disclosures of similarly critical vulnerabilities have resulted in exploits being published within a day, putting critical infrastructure and customer data at risk. All applications that use Struts are potentially vulnerable, even when no additional plugins have been enabled.”
Read Next:
Git-bug: A new distributed bug tracker embedded in git
