• Skip to Content
  • Skip to Main Navigation
  • Skip to Search

Indiana University Indiana University IU

Open Search
  • Personal Preparedness
    • Keeping data safe
    • Email & phishing scams
    • Secure data removal
    • IU passphrases
    • Using social media
    • Web privacy
    • Account privileges
    • Remote Desktop
    • Cybersecurity while traveling
    • Identity verification
    • Hardware & software security
      • Laptop & mobile device security
      • Malware, scareware, & ransomware
      • Storage drives
      • Wearable technologies
      • Protecting data in copiers and multifunction devices
      • Use of survey software
      • Solid State Drives
    • File sharing & copyright
      • Contesting copyright infringement notices
      • Disabling peer-to-peer file sharing
      • Copyright tutorial
      • Copyright infringement incident resolution
  • Information & IT Policies
    • The Policy Hierarchy explained
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • Federal & international regulations
    • Indiana Data Protection laws FAQ
    • IT-12.1 Mobile Device Security Standard
  • Information Security & Privacy Program
    • Safeguards
      • Risk assessment and treatment
      • Policy administration
      • Organization
      • Asset management
      • Human resources
      • Physical & environmental security
      • Communications & operations management
      • Identity & access control
      • Information systems acquisition, development, and maintenance
      • Incident management
      • Business continuity management
      • Compliance
    • Governance
    • Principles
  • Protecting Data
    • Privacy matters
      • Privacy harms
      • Privacy principles
      • Understanding and protecting privacy
    • Sensitive data
      • Guidelines
    • Sharing institutional data with third parties
  • Resources for IT Professionals
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Benchmarks
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
      • Privacy Notice Generator
      • Training & awareness
      • Incident Response Webservice
      • Penetration test
      • SSL/TLS certificates
      • Vulnerability scanners
  • About
    • Glossary of Terms
    • Trustees Resolution
  • Contact
  • Report an Incident
    • Report Privacy Incident or Request Assistance
    • Emergency IT Incidents
    • Managing Incidents
    • Identity Theft
    • Reporting Suspected Sensitive Data Exposures

Information Security & Policy

  • Home
  • Personal Preparedness
    • Keeping data safe
    • Email & phishing scams
    • Secure data removal
    • IU passphrases
    • Using social media
    • Web privacy
    • Account privileges
    • Remote Desktop
    • Cybersecurity while traveling
    • Identity verification
    • Hardware & software security
    • File sharing & copyright
  • Information & IT Policies
    • The Policy Hierarchy explained
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • Federal & international regulations
    • Indiana Data Protection laws FAQ
    • IT-12.1 Mobile Device Security Standard
  • Information Security & Privacy Program
    • Safeguards
    • Governance
    • Principles
  • Protecting Data
    • Privacy matters
    • Sensitive data
    • Sharing institutional data with third parties
  • Resources for IT Professionals
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Benchmarks
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
  • Search
  • About
  • Contact
  • Report an Incident
  • Home
  • Security Bulletins
  • UPDATE: Exploit Code Available: Remote Code Execution in Apache Struts 2

UPDATE: Exploit code available: Remote code execution in Apache Struts 2

Wednesday, September 06, 2017

UPDATE 9/8/2017

The University Information Security Office (UISO) would like to draw attention to an additional vulnerability found in Apache Struts 2. A remote code execution vulnerability exists when a developer uses an unintentional expression in the FreeMarker tag. This vulnerability affects Apache Struts versions 2.0.1- 2.3.33 and 2.5 - 2.5.10. Upgrading Apache Struts 2 to version 2.5.13 will mitigate both vulnerabilities mentioned in this bulletin. If you patched for the vulnerability announced September 5, no further action is needed to protect against this new vulnerability.

Background

On Sept. 5, 2017, a critical remote code execution vulnerability was identified in the REST plugin of Apache Struts 2. At the time of writing there are no reports of this vulnerability being exploited in the wild, however, due to the wide use of Apache Struts 2 with the REST plugin, reports of successful exploitation are anticipated as exploit code has been made publicly available.

Impact

Applications that have been developed with the Apache Struts 2 framework and which leverage the REST plugin are vulnerable to attack. Attackers can gain access to the server by sending a specially crafted web request to the vulnerable application. Upon successful exploitation of the vulnerability, attackers can execute arbitrary code. Web applications that are available via the Internet are more likely to be attacked; however, any web application that uses Apache Struts 2 and the REST plugin are vulnerable. The weakness in the REST plugin of Apache Struts 2 is associated with the method that deserializes untrusted data.

Please see UISO Recommendations and Workarounds below for further steps that must be taken.

Platforms Affected

  • Apache Struts versions 2.5 through 2.5.12
  • Apache Struts versions 2.0.1 through 2.3.33

Local observations

Using network sensors, the University Information Security Office monitors the IU network for exploitation attempts of networked devices, including vulnerable applications. The successful compromise of a device will result in the device being blocked from the network.

Apache Struts 2 is part of Extra Packages for Enterprise Linux (EPEL). Indiana University's Red Hat (RHEL) Satellite distributes patches for the 1.3 branch of Apache Struts, not Struts 2.

UISO recommendations

  • Upgrade Apache Struts 2 to version 2.5.13.
  • Subscribe to relevant email lists and review blogs for any mention of security bulletins for Apache Struts 2.
  • Have your web applications and sites scanned for vulnerabilities by the UISO.

Workarounds

No workarounds exist to mitigate this vulnerability. Developers can disable the Struts REST plugin, however this will likely break application functionality.

Further reading

  • Patch released for Critical Apache Struts Bug
  • Apache Struts Security Bulletins

Information Security & Policy resources

  • Leading in Cybersecurity
  • IU Data Management

Indiana University

Accessibility | Privacy Notice | Copyright © 2021 The Trustees of Indiana University