Apache has fixed a critical vulnerability in the hugely popular Struts project that was previously believed to be fixed, but it turned out not to be fully fixed.
Therefore, Cybersecurity and Infrastructure Security Agency (CISA) is calling on users and administrators to upgrade to the latest, patched Struts 2 versions.
Struts is an open-source application development framework used by Java web developers to build MVC (model-view-controller) apps.
Remote Code Execution (RCE) Error Not Completely Resolved
This week, DHS CISA is urging organizations to upgrade to Struts2 version 2.5.30 (or later), which fixes a critical vulnerability to OGNL injection.
Tracked as CVE-2021-31805, the critical vulnerability exists in Struts 2 versions 2.0.0 through 2.5.29.
The vulnerability is due to an incomplete fix applied for CVE-2020-17530, also an OGNL Injection bug, with a severity rating of 9.8 (critical).
Object-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java that simplifies the range of expressions used in the Java language. OGNL also allows developers to work with arrays more easily. But parsing OGNL expressions based on untrusted or raw user input can be problematic from a security perspective.
In 2020, researchers Alvaro Munoz of GitHub and Masato Anzai of Aeye Security Lab had reported a “double evaluation” error in Struts2 versions 2.0.0 – 2.5.25, under certain circumstances.
“Some attributes of the tag may perform a double evaluation if a developer applies forced OGNL evaluation using the %{…} syntax,” advises CVE-2020-17530.
“Using forced OGNL evaluation on untrusted user input may lead to remote code execution and security degradation.”
Although Apache fixed the 2020 bug in Struts 2.5.26, researcher Chris McCown later found that the applied fix was incomplete.
As such, McCown responsibly reported to Apache that the “double evaluation” issue could still be reproduced in Struts versions 2.5.26 and later, resulting in the assignment of CVE-2021-31805.
Users are advised to upgrade to Struts 2.5.30 or higher and to avoid using forced OGNL evaluation in the tag’s attributes based on untrusted user input.
In addition, Apache recommends following the security guide for best practices.
2017 Equifax Hack Came From OGNL Injection
It has been a year where Java components with high profile vulnerabilities such as Log4Shell and Spring4Shell dominate the cybersecurity space.
With the resurgence of this two-year-old critical flaw in Struts, security professionals and organizations may need to take a closer look at their web server environments.
The Struts framework has a history of critical vulnerabilities, most notably remote code execution errors due to insecure OGNL use.
Another flaw in Struts 2 OGNL Injection (CVE-2017-5638) was previously exploited in the wild by threat actors, including ransomware groups.
Equifax, the consumer credit reporting giant, later confirmed that the 2017 hack at the company resulted from the exploitation of CVE-2017-5638, which was a zero-day at the time.
The Equifax data breach compromised the data of 143 million users as hackers stole people’s names, social security numbers (SSNs), dates of birth, addresses and, in some cases, driver’s license numbers.
Also, credit card numbers of approximately 209,000 US users had been accessed by threat actors. Without disclosing the exact number of people affected, Equifax confirmed that the breach also affected British and Canadian residents to some extent.
This post Critical Apache Struts RCE vulnerability was not fully fixed, patch now
was original published at “https://www.bleepingcomputer.com/news/security/critical-apache-struts-rce-vulnerability-wasnt-fully-fixed-patch-now/”