Struts2 Remote Code Execution vulnerability

CVE-2018-11776 - Struts2 Remote Code Execution vulnerability

According to National Vulnerability Database this vulnerability is still awaiting analysis. About this vulnerability

"Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time, its upper action(s) have no or wildcard namespace."

It is to be noted that this vulnerability does not exist with a default configuration of Struts, but in commonly seen configurations for some Struts plugins. Due to this vulnerability Struts improperly validates namespaces, allowing for OGNL injection, and can lead to full remote code execution on the target system.

Recommendations

PoC has already been published and is publicly available. You can very likely expect an active attacks against this vulnerability. It is, therefore, recommened to immediately apply update to Struts version 2.3.35 and 2.5.17.

SIEM Detection

1. Carry out vulnerability scan of your infrastructure and send the output to your SIEM solutions

2. Create a rule to look for cve_id=CVE-2018-11776