<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1462084720533760&amp;ev=PageView&amp;noscript=1">
Vulnerability Report

CVE-2019-0230 Apache Struts 2.0.0 to 2.5.20: Possible RCE

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.

Vulnerability Summary

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. The Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as “id” so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE). The problem only applies when forcing OGNL evaluation inside a Struts tag attribute, when the expression to evaluate references raw, unvalidated input that an attacker can directly modify by crafting a corresponding request.

As per Redhat, if an attacker crafts a malicious request, they can cause an RCE. The largest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Watch the video to learn more about this and other important vulnerabilities.

CVSS Score

The CVSS Base Score is 9.8 (Critical)

Affected Version

Apache Struts 2.0.0 to 2.5.20.

Vulnerability Attribution

As per Apache, this exploit has been discovered by Matthias Kaiser from Apple Information Security.

Risk Impact

Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON. Apache Struts is a tool in the Frameworks (Full Stack) category and as per stackshare, a lot of companies uses them in there tech stack.

Post Equifax breach, survey by famous security magazine found that  found  65 of the Fortune Global 100 have downloaded vulnerable versions of Struts, it is popular framework. Publicly available exploits are available for this vulnerability.

Virsec Security Platform (VSP) Support

VSP-Host monitors processes that are spawned which are not part of a set of whitelisted process. Any attempt to execute new command or unknown binary would be denied by VSP-Host’s Process Monitoring capability.

Reference Links

Download the full vulnerability report to learn more about this and other important vulnerabilities.