cve-2018-11776
1 TopicApache Struts 2 Namespace Evaluation Remote Code Execution (CVE-2018-11776 / S2-057)
Today, a new Apache Struts 2 Remote Code Execution vulnerability was announced (S2-057) and CVE-2018-11776 was allocated. At the moment, there is no public Proof of Concept exploit available. for a Struts 2 application to be vulnerable, its configuration should meet 2 conditions: The value of the “struts.mapper.alwaysSelectFullNamespace” should be set to true. This means that Struts will consider the “namespace” to be everything before the last slash of the URI. Action declaration via <action> tag without “namespace” attribute. When the conditions are met, Struts will try to extract the “namespace” from the request URL by following the next logic: Example URL: http://struts2app.test/[Servlet Context]/[Namespace]/[Action].action It was found that if the namespace was extracted from the requested URL, and it contained an Object-Graph Navigation Library (OGNL) expression which is the expression language supported by the Struts framework, in some cases the extracted expression may be evaluated by Struts, which may lead to arbitrary code execution. Mitigating the vulnerability with BIG-IP ASM BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing Java code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type or “Java Servlets/JSP” System. Edit:We have released additional, more generic signatures to cover OGNL / JSP expressions injection attempts in the URL: 200004474 -JSP Expression Language Expression Injection (3) (URI) 200004475 - Object Graph Navigation Library Expression Injection (2) (URI Edit:Proof of Concept exploit for this vulnerability is now publicly available. The exploitcan be mitigated by the following signatures: Figure 1: Exploit blocked with attack signature 200004281 Figure 2: Exploit blocked with attack signature 200003439 Figure 3: Exploit blocked with attack signature 200004156 Figure 4: Exploit blocked with attack signature 200004368) Additional Reading https://lgtm.com/blog/apache_struts_CVE-2018-11776 https://semmle.com/news/apache-struts-CVE-2018-11776524Views0likes2Comments