- The proof-of-concept exploit was found on GitHub, along with a Python script that allows for easy exploitation.
- The remote code execution vulnerability affects Apache Struts supporting versions 2.3 through 2.3.34 and versions 2.5 through 2.5.16.
The Apache Software Foundation, last week, revealed a critical flaw (CVE-2018-11776). The bug is similar to the one exploited in the Equifax breach. The firm urged the organizations & developers to upgrade their installations to versions 2.3.35 or 2.5.17.
Even as some firms are racing to apply the patch to fix the issue, a Proof-of-Concept (PoC) for the exploit has surfaced on GitHub.
Researchers from Recorded Future found the PoC exploit on GitHub, along with a Python script that allows for easy exploitation. The researchers also discovered a number of chats related to the bug’s exploitation on Chinese and Russian underground forums.
The vulnerability, CVE-2018-11776, was first discovered and reported by security researcher Man Yue Mo, from the software analytics firm Semmle. The remote code execution (RCE) vulnerability affects Apache Struts supporting versions 2.3 through 2.3.34 and versions 2.5 through 2.5.16. The flaw could allow attackers to take control of vulnerable applications “by injecting their own namespace as a parameter in an HTTP request”.
“Apache Struts is a very popular Java framework and there are potentially hundreds of millions of vulnerable systems that could be exploited by this flaw. Most often, scanners will trick servers into returning a Java stack trace as a way of identifying potential Struts servers — other tricks include looking for certain files or directories,” Recorded Future researcher Allan Liska said in a statement.
Liska added that unlike the 2017’s Struts flaw in the Equifax breach, the current RCE vulnerability is easy to exploit.
“Unlike last year’s Apache Struts exploit (CVE-2017-5638), which was at the center of the Equifax breach, this vulnerability appears easier to exploit because it does not require the Apache Struts installation to have any additional plugins running in order to successfully exploit it,” said Liska.
Meanwhile, Semmle CEO Oege de Moor has declined to confirm if the PoC that has been published is functional. However, Moor believes that, “attackers now have a quicker way into the enterprise”, SC Media reported.