A new remote code execution vulnerability in Apache Struts 2, CVE-2018-11776, was disclosed yesterday. While this vulnerability does not exist with a default configuration of Struts, it does exist in commonly seen configurations for some Struts plugins.
Update August 24, 2018: A dashboard for this vulnerability is now available to download.
Struts improperly validates namespaces, allowing for OGNL injection, and can lead to full remote code execution on the target system. For a more detailed technical look at the vulnerability, please see our Threat Protection blog on this topic. Struts versions 2.3.34 and 2.5.16 and before are impacted.
Due to the ease of exploitation and relatively common configuration that is required, this vulnerability should be patched immediately for all applications that use Struts 2. Patched versions are Struts 2.3.35 and 2.5.17. A publicly available PoC has already been published, and active attacks against this vulnerability are most likely imminent.
Vulnerabilities in application frameworks are challenging to programmatically detect with traditional VM scanning, and multiple methods of detection are needed to ensure that Struts is found.
Because of this, Qualys has implemented two QIDs for detecting CVE-2018-11776 in Qualys Vulnerability Management:
Qualys has also implemented a QID for detecting CVE-2018-11776 in Qualys Web Application Scanning:
In addition to scanning, Qualys recommends that application frameworks such as Struts be documented in an Application Portfolio or CMDB to ensure all components of an application are recorded and can be audited for these kinds of vulnerabilities.
Even prior to the disclosure of this RCE vulnerability, Qualys Web Application Firewall users were already protected from exploits by every possible out-of-the-box template and generic policy. These templates, developed by security experts for Qualys WAF programmable inspection engine, are constantly tested against latests threats for the best detection rate and least false-positives.
Customers using manual policies instead of templates were potentially not protected though, depending on ELI (Expression Language Injection), CI (Code Injection) and RCE (Remote Command Execution) sliders settings, along with the blocking threshold.
Mitigating CVE-2018-11776 is possible by using the following methods:
Today’s example - like “drupalgeddon2” a few months ago (CVE-2018-7600) - demonstrates how blocking zero-days is possible with Qualys WAF, without needing to define manual rules, giving CISO and IT Security organizations time for implementing sustainable fixes, while providing them with a tool to monitor and report any attempt to exploit the vulnerability.