Apache has fixed a critical vulnerability in its vastly popular Struts project that was previously believed to have been resolved but, as it turns out, wasn’t fully remedied.
As such, Cybersecurity and Infrastructure Security Agency (CISA) is urging users and administrators to upgrade to the latest, patched Struts 2 versions.
Struts is an open-source application development framework used by Java web developers for building model–view–controller (MVC) apps.
Remote Code Execution (RCE) flaw wasn’t fully resolved
This week, DHS CISA is urging organizations to upgrade to Struts2 version 2.5.30 (or greater) which fixes a critical OGNL Injection vulnerability.
Tracked as CVE-2021-31805, the critical vulnerability exists in Struts 2 versions from 2.0.0 up to and including 2.5.29.
The vulnerability results from an incomplete fix that was applied for CVE-2020-17530, also an OGNL Injection bug, with a severity rating of 9.8 (Critical).
Object-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java that simplifies the range of expressions used in the Java language. OGNL also enables developers to work with arrays more easily. But, parsing OGNL expressions based on untrusted or raw user input can be problematic, from a security perspective.
Back in 2020, researchers Alvaro Munoz of GitHub and Masato Anzai of Aeye Security Lab had reported a “double evaluation” flaw in Struts2 versions 2.0.0 – 2.5.25, under certain circumstances.
“Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{…} syntax,” states the advisory for CVE-2020-17530.
“Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.”
Although Apache had resolved the 2020 bug in Struts 2.5.26, researcher Chris McCown later discovered that the applied fix was incomplete.
As such, McCown responsibly reported to Apache that the “double evaluation” problem could still be reproduced in Struts versions 2.5.26 and above, resulting in the assignment of CVE-2021-31805.
Users are advised to upgrade to Struts 2.5.30 or greater and to avoid using forced OGNL evaluation in the tag’s attributes based on untrusted user input.
Additionally, Apache recommends following its security guide for best practices.
Equifax hack of 2017 stemmed from OGNL injection
It’s been a year of Java components with high-profile vulnerabilities like Log4Shell and Spring4Shell dominating the cybersecurity space.
Now with revival of this two-year old critical flaw in Struts, security professionals and organizations may need to closely scrutinize their web server environments.
The Struts framework has had a history of critical vulnerabilities, in particular remote code execution flaws resulting from insecure OGNL use.
Another Struts 2 OGNL Injection flaw (CVE-2017-5638) had previously been exploited in the wild by threat actors including ransomware groups.
Consumer credit reporting firm, Equifax later confirmed that the 2017 hack at the company resulted from the exploitation of CVE-2017-5638, which was a zero-day at the time.
The Equifax data breach compromised the data of 143 million users as hackers stole names, Social Security Numbers (SSNs), dates of birth, addresses, and, in some cases, people’s driver’s license numbers.
Credit card numbers of about 209,000 American users had also been accessed by threat actors. Without revealing the exact number of individuals affected, Equifax confirmed that the breach also impacted British and Canadian residents in some capacity.
Source: https://www.bleepingcomputer.com/news/security/critical-apache-struts-rce-vulnerability-wasnt-fully-fixed-patch-now/