The Apache Struts Software Foundation today released an update to its open-source web application framework to fix a critical remote code execution vulnerability that allows attackers to seize control of any server running REST applications built with its product – even those protected behind firewalls.
Developers use Apache Struts to build enterprise-wide Java EE web applications. The bug, which affects all versions of the framework since 2008, was discovered in July by Man Yue Mo, a security researcher at lgtm, a company that provides free software engineering analytics to open-source projects.
Officially designated CVE-2017-9805, the flaw exists due to an unsafe deserialization process, by which unsanitized data is deserialized into a Java object, including data from HTTP requests or other socket connections, Mo explains in a threat analysis published on Tuesday. lgtm has a working exploit for the vulnerability that requires merely a web browser to execute, but the company is not publishing it at this time.
Semmle and lgtm are warning that similar past exploits have resulted in customer record theft and operational disruption. "At the time of the announcement, there is no suggestion that an exploit is publicly available, but it is likely that there will be one soon," the analysis states.
The general release of Struts version 2.5.13 addresses this vulnerability, along with two denial-of-service bugs, and introduces a variety of additional improvements, the Apache Struts Software Foundation announced on Tuesday.
Struts users are urged to update their product right away. "This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability, it can critically damage thousands of enterprises," said Oege de Moor, CEO and founder of Semmle, lgtm's parent company, in a blog post written by Semmle product manager Bas van Schaik.
In his company's blog post, Mo notes in the Struts is used to develop a wide variety of customer-facing web applications, including those used for internet banking and airline booking, for instance.
The post also quotes a CISO from an unnamed tier-one banking institution, who had said prior to the fix that the vulnerability could have been worse than the infamous POODLE SSL attack exploit because it would be complicated to remediate and would require code changes before a patch could be applied. Fortunately, the Struts security team was quick to produce a solution, Mo notes in his analysis, that "even though it is a fairly non-trivial task that requires API changes."
But Tod Beardsley, rsearch director at Rapid7, said that the flaw does have significant implications.
The problem with deserialization vulnerabilities is that oftentimes, application code relies precisely on the unsafe deserialization routines being exploited. Therefore, anyone who is affected by this vulnerability needs to go beyond merely applying a patch and restarting the service, since the patch will make changes to how the underlying application will treat incoming data," said Beardsley. "Updates [like Apache's] that mention, "it is possible that some REST actions stop working" is enough to cause cold sweats for IT operations folks who need to both secure their infrastructure and ensure that applications continue to function normally."