Critical Apache Struts RCE Vulnerability Discovered, Act Now!
A critical remote code execution vulnerability, CVE-2018-11776, has been discovered in Apache Struts 2. The flaw, improper validation of namespaces, allows for OGNL injection and full remote code execution. Qualys Web Application Firewall users were already protected, but other organizations should act swiftly to mitigate the risk.
The vulnerability exists in commonly seen configurations for some Struts plugins, even with a default configuration of Struts. It affects versions 2.3.34 and 2.5.16 and before. A publicly available proof of concept (PoC) has been published, indicating that active attacks are likely imminent.
Mitigation methods include using a generic policy, creating a custom rule, or applying a virtual patch in Qualys WAF. Organizations should apply the patch versions, Struts 2.3.35 and 2.5.17, immediately. Blocking zero-days is possible with Qualys WAF, giving organizations time to implement sustainable fixes.
Qualys has implemented detections for CVE-2018-11776 in Qualys Vulnerability Management and Qualys Web Application Scanning, using QIDs 13251, 371151, and 150250. Affected organizations are urged to patch their systems promptly to prevent exploitation of this severe vulnerability.
