Apache Struts Namespace Remote Code Execution Vulnerability [CVE-2018-11776]

CVE Number – CVE-2018-11776

A vulnerability in Apache Struts could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability exists because the affected software insufficiently validates user-supplied input, allowing the use of results with no namespace value and the use of url tags with no value or action. In cases where upper actions or configurations also have no namespace or a wildcard namespace, an attacker could exploit this vulnerability by sending a request that submits malicious input to the affected application for processing. If successful, the attacker could execute arbitrary code in the security context of the affected application on the targeted system.

The Apache Software Foundation has confirmed the vulnerability and released software updates.

• To exploit this vulnerability, an attacker must send a request that submits malicious input to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.

  Unsupported versions of Struts may also be affected by this vulnerability.

• Administrators are advised to apply the appropriate updates.

  Administrators are advised to allow only trusted users to have network access.

  Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.

  Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

  Administrators can help protect affected systems from external attacks by using a solid firewall strategy.

  Administrators are advised to monitor affected systems.

• The Apache Software Foundation has released a security bulletin at the following link: S2-057

• • The Apache Software Foundation has released software updates at the following link: Struts 2.5.17 and 2.3.35

Duncan

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.