CVE-2019-0230 Apache Struts 2.0.0 to 2.5.20: Possible RCE
Virsec Security Research Lab Vulnerability Analysis
The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. The Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as “id” so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE). The problem only applies when forcing OGNL evaluation inside a Struts tag attribute, when the expression to evaluate references raw, unvalidated input that an attacker can directly modify by crafting a corresponding request.
As per Redhat, if an attacker crafts a malicious request, they can cause an RCE. The largest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Watch the video to learn more about this and other important vulnerabilities.
The CVSS Base Score is 9.8 (Critical)
Apache Struts 2.0.0 to 2.5.20.
As per Apache, this exploit has been discovered by Matthias Kaiser from Apple Information Security.
Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON. Apache Struts is a tool in the Frameworks (Full Stack) category and as per stackshare, a lot of companies uses them in there tech stack.
Post Equifax breach, survey by famous security magazine found that found 65 of the Fortune Global 100 have downloaded vulnerable versions of Struts, it is popular framework. Publicly available exploits are available for this vulnerability.
Virsec Security Platform (VSP) Support
VSP-Host monitors processes that are spawned which are not part of a set of whitelisted process. Any attempt to execute new command or unknown binary would be denied by VSP-Host’s Process Monitoring capability.
Download the full vulnerability report to learn more about this and other important vulnerabilities.