Alert Logic® is actively researching a newly disclosed critical remote code execution (RCE) vulnerability in Apache Struts. The vulnerability (CVE-2018-11776) can provide attackers with total control of the victim system, including execution of arbitrary code and upload of malicious files such as web shells and malware. All applications that use Apache Struts – supported versions (2.3 to 2.3.34 and 2.5 to 2.5.16) and some unsupported versions – are potentially vulnerable to this flaw, even when no additional plugins have been enabled.
The CVE-2018-11776 vulnerability was published by Semmle on August 22, 2018. The vulnerability resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations.
For more information and technical details about this vulnerability, refer to our Emerging Threat: Active Exploit of Apache Struts Remote Code Execution Vulnerability blog.
Alert Logic Coverage
Alert Logic Threat Manager™ has signatures in place to detect exploits of CVE-2018-11776.
Both Alert Logic Web Security Manager and Alert Logic Web Security Manager Premier detect attacks targeted at exploiting the CVE-2018-11776 vulnerability. If Alert Logic Web Security Manager Premier is in Protect mode, it will also block these attacks.
Additionally, Alert Logic has developed vulnerability scanning coverage to identify vulnerable assets.
Recommendations for Mitigation
Per Apache Struts, the following remediation options are available:
- Upgrade to the latest versions of Apache Struts – 2.3.35 or 2.5.17
- Set the namespace (if applicable) for all defined results in underlying configurations
- Set a value or action for all URL tags in your JSPs
We will update this section with new information about this Apache Struts vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click the FOLLOW button at the top of this article.
Note: You must sign in with your Alert Logic product credentials to follow this article.
08/24/18: Vulnerability scan coverage is now available to identify vulnerable assets.