The developers of the popular Apache Struts development framework for Java-based web applications have fixed a critical vulnerability that could be exploited to compromise servers.
The vulnerability, tracked as CVE-2017-9805, was discovered by researchers from software engineering analytics firm Semmle and is located in the popular REST plugin for Struts version 2. It is caused by deserialization of untrusted data and can lead to remote code execution on web servers running vulnerable applications.
The flaw was fixed in Struts 2.5.13, released Tuesday, by implementing class restrictions per REST action. This means that in addition to updating Struts, developers will also have to check if the new restrictions don’t break functionality in their applications and will have to adapt the class whitelist accordingly.
“Because the Struts developers have chosen very wisely to protect their users by default against this vulnerability, those users who want to use certain types of data in Struts, will have to whitelist those data types themselves,” said Bas van Schaik, product manager at Semmle. “If they don’t do that, their application will stop working.”
The Semmle researchers will hold back from releasing a working proof-of-concept until Struts users have had sufficient time to upgrade. However, this doesn’t mean that attackers might not figure out how to exploit the vulnerability on their own by analyzing the patch.
Back in March, a remote code execution flaw was fixed in Struts’ Jakarta Multipart parser. Hours later, an exploit for the vulnerability appeared on Chinese-language websites and widespread attacks followed soon after. Some hackers exploited the flaw to install DDoS malware on servers while others took advantage of it to install the Cerber ransomware program.
What those attacks showed is that Struts-based web applications are an attractive target for hackers and that’s scary giving that many of them handle sensitive customer data and business processes for large companies.
Semmle worked with Fintan Ryan, an analyst with RedMonk, to determine the potential impact of this flaw and according to him, at least 65 percent of the Fortune 100 companies are actively using web applications built with the Struts framework. This includes organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and Showtime.
Over the past few years, deserialization has become a significant source of serious vulnerabilities for Java web applications. Deserialization is the reconstruction of data after it has been converted to a binary format — serialized — in order to be sent over the network or to be stored in memory.
Java deserialization bugs came under the spotlight after a critical one was found in the Collections component of the Apache Commons library in 2015. That bug had a particularly widespread impact because the affected library was used by default in Java application servers and other products including Oracle WebLogic, IBM WebSphere, JBoss, Jenkins and OpenNMS.
Semmle found this latest Struts vulnerability by using its lgtm.com code review service that scans for bugs in over 50,000 open-source projects. The service is a public implementation of Semmle’s commercial technology and allows researchers to treat code as data stored in a database and to write analyses for different types of vulnerabilities. Those analyses are written as queries that look for code errors inside the database.
“We worked with the Struts team to decide on the right strategy for safe disclosure of this vulnerability and we had to conclude that the only way to notify all Struts users was to make this information public and to hope they fix their applications,” van Schaik said. “This security issue has been present in Struts version 2 since 2008 and while we are not aware of anyone abusing it at this stage, I expect that someone will reverse engineer the exploit soon and will start abusing it.”
Feature image via Pixabay.