PoC exploit to target two Apache Struts 2 flaws emerges on GitHub

Upgrade to latest Struts version immediately, warns Apache Struts Security Team

Proof-of-Concept (PoC) code of an exploit to trigger two security vulnerabilities in the Apache Struts 2 web application framework is publicly available on internet.

Last week, Apache published a security advisory urging admins to immediately patch their systems for two security bugs in Apache Struts 2: CVE-2019-0230, a remote code execution (RCE) flaw, and CVE-2019-0233, a denial-of-service (DoS) bug.

According to Apache, both vulnerabilities were addressed in November 2019, but there remain a large number of installations that have not been patched.

https://twitter.com/GossiTheDog/status/1294581725239087105?ref\\_src=twsrc%5Etfw

On Friday, PoC code to target these bug emerged on GitHub.

According to Apache, CVE-2019-0233 and CVE-2019-0230 affect Apache Struts versions 2.0.0 through 2.5.20, and have been addressed in version 2.5.22.

CVE-2019-0230 is a forced double Object-Graph Navigation Language (OGNL) evaluation bug that could enable an attacker to remotely execute arbitrary code on a vulnerable system. It occurs when Struts tries to evaluate raw user input inside tag attributes. The bug could be exploited by injecting malicious OGNL expressions into an attribute within an OGNL expression.

CVE-2019-0233 is a DoS bug which occurs due to overriding of access permission at the time of a file upload operation. The vulnerability could allow an attacker to modify a file upload request in a way that causes the file to be set to read-only access.

Once the file upload is completed, any subsequent action on the file fails. The bug could lead to upload failure of other files as well, thereby resulting in a DoS condition for an affected application.

The Apache Struts Security Team recommends site owners and developers to upgrade their installs to the latest version as soon as possible. In case of CVE-2019-0230, upgrading to 2.5.22 closes the reported attack vector, according to Apache.

Unpatched installations could enable threat actors to carry out massive data breaches, similar to the 2017 Equifax attack, which was conducted by hackers after exploiting the CVE-2017-5638 Apache Struts vulnerability.

That breach exposed the social security numbers and other personal details of more than 140 million Americans, with people and organisations affected around the world.

In May, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a list of top 10 vulnerabilities that have been routinely exploited by hackers since 2016, and CVE-2017-5638 was ranked third in the list.