A new vulnerability has been discovered in Apache struts dubbed as CVE-2017-9791.
The Apache Struts framework is useful for building modern Java-based web applications, with two major versions, Apache Struts 1 and Apache Struts 2. According to the research published here, a Struts 1 plugin is available that allows developer to use existing Struts 1 Actions and ActionForms in Struts 2 web applications. A vulnerability has been found in this plugin that could allow remote code execution on the affected server, if used with Struts 2.3.x. (Versions 2.5.x are not affected.)
The previous vulnerability i.e. CVE-2016-5638 has shown that remote code execution (RCE) vulnerabilities in Apache Struts used Object Graph Navigation Language (OGNL) expressions. The use of OGNL makes it easy to execute arbitrary code remotely because Apache Struts uses it for most of its processes. A recently disclosed Struts vulnerability, CVE-2017-9791 (covered in S2-048) also uses OGNL expressions for Remote Code Execution.
For a remote code execution to be successful, the attacker needs to send a specially crafted request with a malicious value in the vulnerable parameter to the vulnerable server, which is using the Struts 2 – Struts 1 plugin and a Struts 1 action with the value part of a message being presented to the user.
The attacker can then send malicious code in the HTTP request or body as a parameter value that will be run on the targeted server hosting a vulnerable application. A proof of concept that demonstrates the attack scenario is publicly available.
The POC code in python is also available here.
Apache Struts versions 2.3.x with Struts 1 plugin and Struts 1 action are reported to be Vulnerable. If you are using such configuration, to fix this issue, the vendor has suggested always using resource keys instead of passing a raw message to the ActionMessage or use Apache Struts 2.5.x series.