In a recent webinar hosted by Sonatype, Chief Technology Officer (CTO) and co-founder Brian Fox and Field CTO Ilkka Turunen discussed the critical security vulnerability affecting Apache Struts2.
Initiating the discussion, Turunen emphasized the significance of addressing Struts2 vulnerabilities, given its prevalence in legacy applications.
Fox added historical context, recalling the impact of Struts vulnerabilities in the past.
"Struts might be familiar to the audience since, back in 2012, there were a lot of cyberattacks on banks, not as high-profile, but those of us in the industry saw this happen, and with many of the financial firms that we've worked with, it started them down the path of better software supply chain management," said Fox. "Then, notoriously, it was the Struts vulnerability that led to the Equifax data leak in 2017, which tons of people know of. So if Struts rang a bell, that’s why."
Understanding the vulnerability
In describing this directory traversal vulnerability in the Struts2 framework, Turunen explained how an attacker could manipulate the file upload process, potentially leading to RCE.
Turunen detailed the vulnerability's evolution, initially perceived as a file upload concern. However, the emergence of proof-of-concept (PoC) code swiftly elevated it to a critical RCE threat, shifting its CVSS scale rating from 8.6 to 9.8. This escalation prompted alerts from key authorities like the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK Government Communications Headquarters (GCHQ), underscoring the urgency of updates.
Given Java's prevalence in over 3 billion devices and Struts' widespread use, swift updates are crucial for systems with upload functionality, a common feature in various services.
"This is like a granddaddy framework that is fairly popular enough to be widely used in almost any circumstance where you use enterprise applications. This is almost a literal definition of why JavaServer Pages were a thing back in the day," said Turunen. "But Struts2 nowadays is present in so much legacy estate, in nearly every organization that deals with Java."
Unpacking this critical exploit
Fox emphasized that this vulnerability is actively exploited, referencing reports from Akamai and other sources. He underscored the speed at which attackers capitalize on disclosed vulnerabilities, emphasizing the responsibility of organizations to promptly upgrade their systems.
"I want to underscore that this vulnerability is actively being exploited. This follows the same trend that we've seen with other critical vulnerabilities — Log4Shell was similar," said Fox. "The real problem, from my point of view, has always been that companies don’t understand what's inside their software, and therefore they can't upgrade fast enough."
The discussion also turned to the challenge organizations face in managing Struts' software dependencies.
"There's actually two issues when it comes to a vulnerability like this — it's the software that you write yourself using Struts2 as well as the software from your vendors and your suppliers that is built on top of it," said Turunen. "So, there's two waves of patching, which makes it even harder to know what to do and when."
Turunen, who previously covered data from this exploit, presented Sonatype's dedicated resource center live statistics from Maven Central, which is operated by Sonatype, revealing a steady rate of downloads for the vulnerable Struts2 framework.
The data indicated that a significant percentage of downloads remained vulnerable, reflecting a common issue in upgrading legacy applications.
"We're seeing a steady rate of 2,000 to 3,000 downloads every single day that are hitting Central of the vulnerable framework," said Turunen. "Another number that shows why we feel the alert that we do is the ratio of known patched versions of the Struts framework versus the Struts framework that are vulnerable to this particular security vulnerability being downloaded — so far that number has been at a steady 80-85% of the downloads still vulnerable to this particular security vulnerability."
Demonstrating the exploit
As part of the webinar, Turunen provided a live demonstration of a PoC of the exploit using an application and a web shell.
He utilized this GitHub repository as a point of reference in demoing the PoC.
The exploit leveraged the vulnerability to execute commands and potentially compromise systems.
"In this example the file uploads to a specific folder. Basically, the exploit leverages a web application resource (WAR) file that implements a web shell. Essentially the web shell allows an attacker to send system commands through cmd, essentially like a GET," said Turunen. "So, what this exploit does is take this malicious file using this legitimate file prompt and appends Unix directory notifiers onto the file path. And what then happens is, after a file upload, which has a couple of extra upload parameters in the request."
The Struts2 vulnerability stemmed from a case sensitivity issue within the bug. The exploit capitalized on this, allowing the passing of the same parameter with two different cases, with the second one effectively overriding the initial setting.
Fox emphasized the risk of attackers probing for weaknesses even after the initial wave of attacks subsides.
"It struck me that everyone would be trying this type of vulnerability of all the other versions of Struts, different elements of Struts, probably other frameworks are going to get probed with the same thing," said Fox. "So, it will not surprise me at all that we could see follow-on vulnerabilities related to this in other elements of both Struts and also other frameworks."
Urgency of upgrades and Sonatype's role
Fox emphasized the importance of upgrading Struts2 to mitigate the vulnerability. He discussed the challenges associated with upgrading and highlighted Sonatype's tools and solutions to help organizations navigate this complexity.
"The challenge with these types of vulnerabilities is that traffic often very much looks like legitimate traffic, and it's hard to tell at a network layer that something is doing an unexpected thing. So when a proof of concept comes out, they can recognize that and directly move to block it, but that’s not always bulletproof either," said Fox. "The answer is to upgrade. In our annual State of the Software Supply Chain report, we did a lot of research on upgrade urgency to help tease out the difference between proactive and reactive upgrades."
Turunen emphasized the need for organizations to generate software bills of materials (SBOMs) and automate the process to keep pace with the rapid influx of vulnerabilities. He provided a demonstration of Sonatype Lifecycle, showcasing its ability to identify components affected by specific CVEs.
He reinforced the urgency of addressing the Struts2 vulnerability and reiterated two crucial aspects. First, determine if your applications and the software you develop are affected. Second, be prepared for potential vulnerabilities in the software or devices supplied by your vendors.
"Expect that there could be a wave of patches to apply. If you don't develop that muscle, this is going to be painful every single time," said Turunen. "You're going to need some automation. You're going to need some tools — and that’s why Sonatype embarked on its journey, because we figured there had to be a better way to do this."
The webinar concluded with a call to action for organizations to proactively manage their software supply chains, adopt automation, and leverage tools like Sonatype's to ensure timely upgrades.
"You need to be able to have SBOMs in place for your entire organization so you can immediately respond, and Sonatype helps you do that," said Fox. "We as the stewards of Maven Central have been front and center and watched these things in the ecosystem over the last decade and started scratching our heads saying how do we help people do a better job of this. And our products evolved from that."
Find out everything you need to know about Struts2 in the full webinar recording.