'Critical' RCE vulnerability found in open-source Struts framework

Some of the largest companies in the US are at risk for remote code execution (RCE) attacks according to Semmle security researchers.

Analysts at lgtm.com discovered a vulnerability in all versions of the Apache Struts framework dating back to 2008. The hole can allow a hacker to execute code remotely on any website using the REST plugin, a popular communications plugin used by at least 65 Fortune 100 companies including Lockheed Martin, Citigroup, Virgin Atlantic, Reader's Digest and even the IRS.

However, it is by no means limited to just these companies.

Oege de Moor, CEO of software analytics firm Semmle (lgtm's parent company), said, "This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises."

The flaw was immediately reported to the Apache development team on September 5. Apache Struts maintainers issued a patch the same day and posted an announcement on the Struts website. The TL;DR breakdown goes as follows:

"A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise [sic] XML requests. No workaround is possible, the best option is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only. Upgrade to Apache Struts version 2.5.13. It is possible that some REST actions stop working because of applied default restrictions on available classes. In such case please investigate the new interfaces that were introduced to allow define class restrictions per action. All developers are strongly advised to perform this action [emphasis Apache]."

When it was initially discovered, lgtm had the only known working exploit for the flaw which it did not publish. Now that hackers know about the vulnerability, several third-party exploits have already been posted on various websites.

What's more, the patch is not the only thing needed to fix the security hole. The underlying code of the web apps may also need to be addressed. Engineers might have to rewrite the apps using the updated version of Struts, then test and redeploy. Despite the amount of time, effort and expense required, the importance of fixing this security weakness cannot be stressed enough.

"The Struts framework is used by an incredibly large number and variety of organizations," said lgtm analyst Man Yue Mo. "This vulnerability poses a huge risk ... Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser. Organizations who use Struts should upgrade their components immediately."