On Tuesday, September 5, 2017, a critical new Remote Code Execution (RCE) vulnerability was disclosed against all previous versions of the Apache Struts 2 REST Plugin [1] available in those packages with Struts 2 between 2.0.0 and 2.5.12 (inclusive). The library uses XStream to deserialize HTTP input without any type enforcement, allowing attackers to specify unexpected types and cause arbitrary and malicious behavior.
Exploitation can occur in a single, possibly unauthenticated HTTP request. However, unlike previous Struts 2 vulnerabilities, the likelihood of weaponized mass exploitation of this vulnerability is estimated to be low for the following reasons:
- This vulnerability only affects applications that use Struts 2 as well as the Struts 2 REST Plugin. ZDNet, amongst others, are overestimating the prevalence of the vulnerability [2] because they assume that everyone using Struts 2 is also using the Struts 2 REST Plugin. We identified less than 1% of the Java applications we’re in charge of assessing and protecting using Struts 2 REST Plugin. The metrics available on Maven show that the Struts 2 Core library has 167 downstream consumers [6], while the Struts 2 REST Plugin library has 9 [7] which indicates its volume of usage.
- The vulnerability may require authentication to exploit.
However, targeted exploitation is not technically challenging and exploit kits like Metasploit are in the process of adding it as of this writing [3].
CVE IMPACT:
Given that this is an arbitrary remote code execution vulnerability, the impact is critical. Successful exploitation would allow a complete host takeover, including disclosure of any sensitive assets, data corruption, and a permanent foothold in the network for further attacks.
CONTRAST PROTECTION:
Contrast released a new version of Protect (SaaS deployment) on Wednesday, September 6, 2017 at approximately 6:20 PM EDT, which provides full protection against this vulnerability, as well as broad protection against future deserialization attacks. Customers who are using Protect (SaaS deployment) are now protected against this CVE and need not take further action.
(Contrast Labs has done landmark research in deserialization flaws. In fact, the exploit for this issue is technically very similar to an exploit we released for CVE-2016-0792, a deserialization vulnerability against Jenkins we disclosed in 2016.)
Contrast can protect against this vulnerability across the entire SDL, from early in development all the way through production. Simply adding the Contrast agent to your development, test, and production environments quickly provides broad protection against this and other vulnerabilities.
- Contrast Assess has accurately reported this vulnerability to development teams out of the box, as well as a variety of other deserialization vulnerabilities. Contrast will now specifically alert today on any usage of the vulnerable versions of this library in your organization.
- Contrast Protect defends applications and APIs against many of the possible ways to exploit this vulnerability out of the box. We have enhanced this protection to provide broad protection against future deserialization attacks.
OTHER DEFENSE OPTIONS:
For applications that do not have Contrast Protect in place, there is really only one other option. Upgrade to the latest version of Struts 2.5.13 or Struts 2.3.34, which will require recoding, retesting, and redeploying these applications.
TIMELINE:
Sept 5, 10:30 AM EDT - lgtm announces vulnerability discovery [4].
Sept 5, 10:00 PM EDT - exploit from China published to GitHub [5].
Sept 5, 11:30 PM EDT - Contrast Labs verifies exploitability and identifies limited product gaps.
Sept 6, 10:00 AM EDT - Contrast Engineering and Contrast Labs perform final testing on Java Agent product changes and begins production deployment.
Sept 6, 6:20 PM EDT - Last region has Java Agent deployed.
[1] https://struts.apache.org/docs/s2-052.html
[2] http://www.zdnet.com/article/critical-security-bug-threatens-fortune-100-companies/
[3] https://github.com/rapid7/metasploit-framework/pull/8924
[4] https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement
[5] https://github.com/jas502n/St2-052/commit/471d519276230e4bdc878326a5714338669e6055#diff-04c6e90faac2675aa89e2176d2eec7d8
[6] https://mvnrepository.com/artifact/org.apache.struts/struts2-core/usages
[7] https://mvnrepository.com/artifact/org.apache.struts/struts2-rest-plugin/usages
