Proof-of-Concept (PoC) code of an exploit to trigger two security vulnerabilities in the Apache Struts 2 web application framework is publicly available on internet.
Last week, Apache published a security advisory urging admins to immediately patch their systems for two security bugs in Apache Struts 2: CVE-2019-0230, a remote code execution (RCE) flaw, and CVE-2019-0233, a denial-of-service (DoS) bug.
According to Apache, both vulnerabilities were addressed in November 2019, but there remain a large number of installations that have not been patched.
Linux security right now reminds me of Windows security in the 90s. Attackers are running around networks at scale and people don't even realise.— Kevin Beaumont (@GossiTheDog) August 15, 2020
On Friday, PoC code to target these bug emerged on GitHub.
According to Apache, CVE-2019-0233 and CVE-2019-0230 affect Apache Struts versions 2.0.0 through 2.5.20, and have been addressed in version 2.5.22.
CVE-2019-0230 is a forced double Object-Graph Navigation Language (OGNL) evaluation bug that could enable an attacker to remotely execute arbitrary code on a vulnerable system. It occurs when Struts tries to evaluate raw user input inside tag attributes. The bug could be exploited by injecting malicious OGNL expressions into an attribute within an OGNL expression.
CVE-2019-0233 is a DoS bug which occurs due to overriding of access permission at the time of a file upload operation. The vulnerability could allow an attacker to modify a file upload request in a way that causes the file to be set to read-only access.
Once the file upload is completed, any subsequent action on the file fails. The bug could lead to upload failure of other files as well, thereby resulting in a DoS condition for an affected application.
The Apache Struts Security Team recommends site owners and developers to upgrade their installs to the latest version as soon as possible. In case of CVE-2019-0230, upgrading to 2.5.22 closes the reported attack vector, according to Apache.
Unpatched installations could enable threat actors to carry out massive data breaches, similar to the 2017 Equifax attack, which was conducted by hackers after exploiting the CVE-2017-5638 Apache Struts vulnerability.
That breach exposed the social security numbers and other personal details of more than 140 million Americans, with people and organisations affected around the world.
In May, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a list of top 10 vulnerabilities that have been routinely exploited by hackers since 2016, and CVE-2017-5638 was ranked third in the list.
Researchers exploited a bug in Emotet malware to create a killswitch, containing its spread for six months
But Emotet's operators have now patched the flaw
The malware is being deployed in real-world attacks by hackers working for Russian military intelligence unit, they state
The vulnerabilities have now been patched by Microsoft
Citrix has addressed five vulnerabilities in its CEM solution
Seventeen bugs are rated as "critical" meaning they can be easily exploited by hackers to gain full control of a vulnerable machine