Apache is warning developers about a critical vulnerability in one of the components of Struts 2.3.x that can lead to remote code execution on apps built on top of the framework.
The vulnerability is in the commons-fileupload component, which is the built-in file upload mechanism for Struts. It affects any app that was built using Struts 2.3.x, as those versions include the vulnerable commons-fileupload 1.3.2 library. The bug is actually rather old, and researchers disclosed it to the Apache Software Foundation in 2016. At the time, Apache released a patched version of the library, which was included in Struts 2.5.x.
“There exists a Java Object in the Apache Commons FileUpload library that can be manipulated in such a way that when it is deserialized, it can write or copy files to disk in arbitrary locations. Furthermore, while the Object can be used alone, this new vector can be integrated with ysoserial to upload and execute binaries in a single deserialization call. This may or may not work depending on an application's implementation of the FileUpload library,” the original advisory from Tenable Security says.
However, the vulnerable library was not replaced in the 2.3.x branch of Struts. So now developers need to upgrade to version 1.3.3 of the library, and manually replace the vulnerable version in each app that includes it.
“There is no simple ‘new Struts version’ to fix this. You will have to swap out the commons-fileupload library manually,” said Johannes Ullrich, dean of research at the SANS Institute.
Apache officials said in the advisory on the vulnerability that developers should update as soon as possible, due to the potential for remote code execution if the vulnerability is exploited.
“This is necessary to prevent your publicly accessible web site from being exposed to possible Remote Code Execution attacks,” the advisory says.
“Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload. The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar.”
Struts is a web framework used to develop Java apps, and it has been a frequent target for attackers over the years. In 2017, the attackers who compromised Equifax in one of the larger data breaches in history exploited a Struts vulnerability in one of Equifax’s web apps to gain access to the company’s backend systems.
“The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application,” the company said in a statement on the attack in September 2017.