The University Information Security Office (UISO) would like to draw attention to an additional vulnerability found in Apache Struts 2. A remote code execution vulnerability exists when a developer uses an unintentional expression in the FreeMarker tag. This vulnerability affects Apache Struts versions 2.0.1- 2.3.33 and 2.5 - 2.5.10. Upgrading Apache Struts 2 to version 2.5.13 will mitigate both vulnerabilities mentioned in this bulletin. If you patched for the vulnerability announced September 5, no further action is needed to protect against this new vulnerability.
On Sept. 5, 2017, a critical remote code execution vulnerability was identified in the REST plugin of Apache Struts 2. At the time of writing there are no reports of this vulnerability being exploited in the wild, however, due to the wide use of Apache Struts 2 with the REST plugin, reports of successful exploitation are anticipated as exploit code has been made publicly available.
Applications that have been developed with the Apache Struts 2 framework and which leverage the REST plugin are vulnerable to attack. Attackers can gain access to the server by sending a specially crafted web request to the vulnerable application. Upon successful exploitation of the vulnerability, attackers can execute arbitrary code. Web applications that are available via the Internet are more likely to be attacked; however, any web application that uses Apache Struts 2 and the REST plugin are vulnerable. The weakness in the REST plugin of Apache Struts 2 is associated with the method that deserializes untrusted data.
Please see UISO Recommendations and Workarounds below for further steps that must be taken.
- Apache Struts versions 2.5 through 2.5.12
- Apache Struts versions 2.0.1 through 2.3.33
Using network sensors, the University Information Security Office monitors the IU network for exploitation attempts of networked devices, including vulnerable applications. The successful compromise of a device will result in the device being blocked from the network.
Apache Struts 2 is part of Extra Packages for Enterprise Linux (EPEL). Indiana University's Red Hat (RHEL) Satellite distributes patches for the 1.3 branch of Apache Struts, not Struts 2.
- Upgrade Apache Struts 2 to version 2.5.13.
- Subscribe to relevant email lists and review blogs for any mention of security bulletins for Apache Struts 2.
- Have your web applications and sites scanned for vulnerabilities by the UISO.
No workarounds exist to mitigate this vulnerability. Developers can disable the Struts REST plugin, however this will likely break application functionality.