If you haven't heard of it by now, you should sit up and pay attention to "Struts-Shock." That's what Veracode is calling a critical vulnerability just identified in the Apache Struts 2 library, which attackers are actively exploiting.
We're cautioning customers and anyone else using the vulnerable Struts 2 component, due to the severity of the bug, and because it is widespread in Java applications and is easy to exploit with available tools. Although the Apache Foundation issued a patch for the Struts-Shock vulnerability on Monday, March 6 (see security bulletin S2-045), many affected organizations may be exposed if they do not know which of their applications are using vulnerable versions of the library.
According to an analysis of Veracode scans over the past 18 months, 68 percent of Java applications using the Struts 2 library have a version that is vulnerable to Struts-Shock.
Struts-Shock is a Remote Code Execution (RCE) vulnerability, also referred to as command injection. A command injection vulnerability allows an attacker to send HTTP requests to an impacted web application, and execute commands of their choosing on the server.
"A typical Struts-Shock attack would be to install command and control software on the server in order to join the server to a botnet," Veracode CTO Chris Wysopal said. "Another typical attack would be to use the server as a stepping stone to further penetrate the network the vulnerable server is part of."
Any Java application using the vulnerable Struts 2 package, which includes Struts 2.3.5 - 2.3.31, and Struts 2.5 - Struts 2.5.10, is vulnerable. "Exploits are not dependent on any class or codepath. An attacker can trigger the vulnerable code with a crafted web request," Chris said.
All Apache Struts 2 developers and customers should update to version 2.3.32 or 126.96.36.199 as soon as possible.
Open source components such as Apache Struts 2 are a vital part of software development – it just doesn't make sense for fast-moving development shops to reinvent the wheel whenever they need to use existing functionality. However, the lack of visibility into the use of open source components represents a systemic risk to applications, organizations, and the digital economy as a whole.
"Developers use pre-existing components to get functionality 'for free,' and are often unaware of the complete bill of goods that make up the code they use," Chris said. "Despite the risk, most third-party and open source components do not undergo the same level of security scrutiny as custom-developed software. Compounding the risk, it can be difficult and costly for companies with multiple code repositories to pinpoint all the applications where a risky component is used."
The widespread use of components makes them an ideal target for cybercriminals. Cybercriminals can create one exploit targeting a known vulnerability, and because companies are ill-equipped to respond to vulnerability disclosures in third-party components, attackers have an enormous range of potential victims to attack. This is why vulnerabilities in open source code, such as Heartbleed, are so dangerous.
Java vulnerabilities like Struts-Shock are particularly concerning because Java is so widely used. Of all the enterprise and vendor-written applications Veracode tested for our recent State of Software Security report, about half were written in Java. And a shockingly high number of those applications – 97 percent – had at least one component with a known vulnerability.
Unfortunately, that means vulnerabilities like Struts-Shock are far from rare. Stamping them out requires an ongoing and systematic effort. We're offering a free whitepaper describing strategies for reducing open source and third-party component risk. Contact us to learn more about how Veracode can help you reduce application risk from vulnerable open source components.
If you are a Veracode customer
Veracode security consultants and account managers are actively reaching out to help customers identify and update vulnerable applications.