Apache Struts Security Team has addressed two possible RCE bugs – CVE-2019-0230 and CVE-2019-0233 in their latest advisories published on August 13, 2020.
Description
Struts 2 is an open source coding framework for companies to create Java-based applications. The installations of Apache Struts 2, which are outdated, can be tentatively used to exploit CVE-2019-0230 as suggested by researchers.
According to the Apache Struts 2 Wiki description of the bug, “An attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container’s temp directory to read only, such that subsequent upload actions will fail”.
CVE-2019-0230, was originally posted by Matthias Kaiser at Apple Information Security. The issue lies in Object-Graph Navigation Language (OGNL) evaluation inside a Struts tag attribute. An attacker would be able to modify the corresponding request, when the OGNL expression evaluate references raw is not properly validated.
Example: (Soucre: Apache Struts 2 advisory)
<s:url var=”url” namespace=”/employee” action=”list”/><s:a id=”%{skillName}” href=”%{url}”>List available Employees</s:a>
As shown in the example given above, this bug can lead to an RCE if an attacker changes the skillname without any further validation . As CVE-2019-0230 is an RCE, based on the level of privilege assigned to the system, an attacker can take advantage of this bug with full user rights. CVE-2019-0233 is also a File Upload vulnerability observed in the similar versions of Apache Struts 2. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container’s temp directory to read only, such that subsequent upload actions will fail. According to advisory bulletin, it results in a DOoS attack and an attacker may manipulate the request such that the working copy of the uploaded file is set to read-only.
One of the tweets shows a presentation of Struts 2 possible RCE bug.
https://twitter.com/i/status/1293965938388119553
Affected Products
Struts 2.0.0 – Struts 2.5.20
Advisory
https://cwiki.apache.org/confluence/display/WW/S2-060
https://cwiki.apache.org/confluence/display/WW/S2-059
Solution
Users are advised to update their Apache Struts 2 installations to the latest version 2.5.22. Apache denotes that upgrading to 2.5.22 limits the malicious effects of double evaluation and closes the reported attack vector.
Detection
Qualys customers can scan their network with QIDs 373363 and 373364 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.
References
https://cwiki.apache.org/confluence/display/ww/s2-059
https://cwiki.apache.org/confluence/display/WW/S2-060
https://threatpost.com/poc-exploit-github-apache-struts/158393/