Protecting Apache Struts through DAST, SAST, and SCA

On August 22, 2018, Apache Struts announced a security vulnerability and patch which remediates a critical remote code execution vulnerability. Apache Struts is a Java-based web application platform used by an estimated 65 percent of Fortune 100 companies. With this latest vulnerability, attackers can exploit a web application running the vulnerable Apache Struts installation using nothing more than their browser. The attacker merely sends a maliciously formed request to the site, and the web server will run any command of the attacker’s choosing. With this ability to execute code remotely, the intruder could take any number of actions including adding or deleting files, or even copying internal back-end databases.

The Facts:
Product & Versions: Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16
Category: Remote Code Execution

The finder in this case was Semmle Security Research team’s Man Yue Mo. He noticed that Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 share a vulnerability of a possible Remote Code Execution (RCE) because user input had insufficient validation before evaluating it in a machine function, which could result in many present and future possible RCEs. In this instance, the vulnerability is related to the Object-Graph Navigation Languagegetting and setting properties as well as array manipulation. Sample: When using results with no namespace, and at the same time, the upper action(s) have no or wildcard namespace. The same possibility exists when using a URL tag which doesn’t have any value and action set, and at the same time, its upper action(s) have no or wildcard namespace.

Organizations who have web application firewalls like F5’s ASM have protection ready. However, the vulnerability will persist on the website and remain a risk until mitigated by updating to the most current version of Apache Struts.

WhiteHat Dynamic scanning was updated by the end of day of this release. Our engineers added the Vulnerability Tags ‘S2-057’ and ‘CVE-2018-11776’ to the finding. Existing customers who have concerns about the Apache Struts within their environment should open a case, and our TRC will help identify assets at risk.

Both the WhiteHat Source code scanning and Software Composition Analysis (SCA) call this risk out as Vulnerable 3rd Party Library. In addition to library dependency checking and well established rules for uncovering known vulnerabilities, WhiteHat’s SCA solution polls for CVEs directly from the National Vulnerability Database, allowing us to flag any CVS as they are declared.