Originally published on 5 September 15:30 BST. Updated on 6 September: added a warning regarding multiple working exploits having been published by third parties. Included details of Struts version 2.3.34
Security researchers at LGTM.com have discovered a critical remote code execution vulnerability in Apache Struts — a popular open-source framework for developing web applications in the Java programming language. All versions of Struts since 2008 are affected; all web applications using the framework’s popular REST plugin are vulnerable. Shortly after the patched versions of Struts were released on 5 September, multiple working exploits were observed on various internet sites. Users are strongly advised to upgrade their Apache Struts components as a matter of urgency. This vulnerability has been addressed in Struts versions 2.3.34 and 2.5.13.
LGTM provides free software engineering analytics for open-source projects; at the time this post is published, over 50,000 projects are continuously monitored. Anyone can write their own analyses; ranging from checks for enforcing good coding practices to advanced analyses to find security vulnerabilities. The LGTM security team actively helps the open-source community to uncover critical security vulnerabilities in OSS projects.
This particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data. The LGTM security team have a simple working exploit for this vulnerability which will not be published at this stage. At the time of the announcement there is no suggestion that an exploit is publicly available, but it is likely that there will be one soon.
The Apache Struts development team have confirmed the severity of this issue and released a patch today:
This is critical, as all you have to do is use the REST plugin.
The Struts maintainers have posted an announcement on their website and the vulnerability has been assigned CVE 2017-9805. More information about how this vulnerability was found using LGTM.com is available in a separate blog post.
Analyst Fintan Ryan at RedMonk estimates that at least 65% of the Fortune 100 companies are actively using web applications built with the Struts framework. According to the Struts website, organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and SHOWTIME are known to have developed applications using the framework. This illustrates how widespread the risk is.
When asked for a comment, the Chief Information Security Officer of a Tier 1 bank confirmed that Struts is still used in large numbers of applications and that this finding poses a real threat:
Any security vulnerability can be potentially disastrous, but any that allows Remote Code Execution are especially worrying. This vulnerability is potentially very damaging due to the large number of sites that rely upon this framework. Coupled with the complexities to remediate, as code will have to be changed as opposed to just applying a vendor patch, this has the potential to be worse than the ‘POODLE’ attack was.
Finding this highlights the power that static code analysis can bring, and if something this severe can be in such a well known public library, just imagine what it could find in your codebase.
Man Yue Mo, one of the LGTM security researchers who discovered this vulnerability, confirms the criticality:
The Struts framework is used by an incredibly large number and variety of organizations. This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications. Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser. Organizations who use Struts should upgrade their components immediately.
He has written a blog post that describes in more detail how he found this particular vulnerability using the flexible and powerful query language at the heart of LGTM. The LGTM queries flag up software problems and security vulnerabilities on a daily basis. The analysis results for a large number of projects is readily available on LGTM.com, including for popular projects like Hadoop, Jetty, Maven, and Storm — all of which have millions of users, and are the building blocks of famous platforms like Twitter, Spotify, Google, and Amazon.
Oege de Moor, CEO and founder of Semmle (the company behind LGTM):
This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises. In the spirit of open source, we want to make sure that the community and industry are aware of these findings as we help uncover critical issues in large numbers of open-source projects. Working with Apache Struts, they were extremely responsive and immediately came up with a clear remediation path.
The technology that powers LGTM is used by many organizations to analyze their software development process and find security vulnerabilities like the one in Struts. These organizations include:
Note: Post originally published on LGTM.com on September 05, 2017