Critical vulnerability in Apache Struts

Reference: CERT.be Advisory #2018-024
Version: 1.0
Affected software: Struts 2.3 - 2.3.34, Struts 2.5 - 2.5.16, Previous versions may also be vulnerable.
Type: Remote code execution
CVE: CVE-2018-11776
CVSS: Critical

Sources

https://lgtm.com/blog/apache_struts_CVE-2018-11776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776

Risks

The vulnerability, tracked as CVE-2018-1176, has been categorized as “Remote Code Execution” and is considered as a critical issue.
An attacker could exploit this vulnerability by visiting a specially crafted URL on the vulnerable webserver to execute malicious code and the possibility to fully compromise the webserver.

Summary

A vulnerability was discovered in the Apache Struts software, the following versions are considered vulnerable and should be patched: Struts 2.3 - 2.3.34, Struts 2.5 - 2.5.16
The vulnerability (CVE-2018-11776) resides in the core of Apache Struts and originates because of insufficient validation of user-provided input in the core of the Struts framework under certain configurations.
Your systems are vulnerable to the reported RCE flaw if your Apache Struts configuration meets the following conditions:
• The alwaysSelectFullNamespace flag is set to true in the Struts configuration.
• Struts’ configuration file contains an "action" or "url" tag that does not specify the optional namespace attribute or specifies a wildcard namespace.
Remark: even if the application is currently not vulnerable, patching is strongly recommended to avoid that a configuration change results in a vulnerable system.
Note: A proof of concept for the vulnerability has been published!

Recommend actions

CERT.be recommends system administrators to upgrade their systems to Apache Struts version 2..35 or 2.5.17. Even if the application is currently not vulnerable, it's possible that an inadvertent change to a Struts configuration file renders the application vulnerable in the future.