Struts2 Remote Code Execution Vulnerability (S2-057)

  • Source:SANGFOR Security Center
  • Date Published:2018-08-24
#

Summary

Definition From Encyclopedia

Apache Struts 2 is one of the most popular MVC-based JAVA Web server frameworks.

Struts2’s core is WebWork, handling user requests like interceptor and functions as a controller to establish data interaction between model and views. This design enables business logic controller be completely independent from Servlet API. Struts2 is upgraded from WebWork.

Summary

If value of namespace is not specified when struts-actionchaining.xml is configured and upper action(s) have no or have wildcard namespace, remote code execution may occur.

Likewise, if values of value and action are not specified when struts-actionchaining.xml is configured and and upper action(s) have no or have wildcard namespace, remote code execution may occur.

Globally, there are over 6,343 Struts2-based assets are open to the Internet, among which 1,218 are in China, as shown in the following figure.

图片1.png Vulnerability Reproduction

The introduction above may be a little professional. To offer you an intuitive view of the vulnerability and the attack process, we reproduce the vulnerability.

Prerequisites:

1. Version of Struts 2 is between 2.3 and 2.3.34 or between 2.5 and 2.5.16.

Struts-actionchaining.xml is not configured with value of  namespace but redirection is configured

图片2.png

We did the following test in a Struts2 environment with this vulnerability.

图1.pngThe vulnerability may be exploited by constructing an ognl expression in url with attributes of name in action tag and ending with action, as shown below:

图2.pngThe ognl expression is executed after the address is visited.

图3.pngThe path is also redirected to the one that has been set in , showing S2-057 vulnerability is exploited.

Affected Versions

Struts 2.3 - Struts 2.3.34

Struts 2.5 - Struts 2.5.16

Other unsupported Struts versions.


Solution

Remediation Solution

Download or upgrade to the latest version (2.3.35 or 2.5.17), since Apache has issued a new version that has this vulnerability fixed (http://archive.apache.org/dist/struts/)

This is a temporal weak workaround that verify namespace in all XML configurations if upper action(s) have no or have wildcard namespace set, and verify in JSP the value and action in all url tags.

Link: Apache Wiki https://cwiki.apache.org/confluence/display/WW/S2-057

Sangfor’s Solution

Sangfor Security Cloud has been updated in the first place and gained the ability to probe websites for this vulnerability and ensure user security.

If you are not sure whether your business systems have this vulnerability, sign in to Sangfor Visioner to apply for a 30-day free trial and check security health (http://saas.sangfor.com.cn)

For Sangfor NGAF customers, simply turn on the corresponding security protection feature.