lolloj - Fotolia
The Apache Software Foundation issued alerts last week for two vulnerabilities that were originally patched -- but not fully disclosed -- last fall.
Apache released security advisories regarding the vulnerabilities found in Apache Struts versions 2.0.0 - 2.5.20. One is a potential remote code execution (RCE) vulnerability (CVE-2019-0230), and the other is a denial-of-service vulnerability (CVE-2019-0233). The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert about the two Apache Struts vulnerabilities and encouraged system administrators to patch the flaws.
The vulnerabilities were patched in the latest version of Struts, 2.5.22, which was released in November 2019. However, the documentation for version 2.5.22 makes no mention of the two vulnerabilities or related security fixes. While the two CVEs are dated 2019, it's unclear when they were first discovered and disclosed to Apache.
Scott Caveza, research engineering manager at Tenable, told SearchSecurity the disclosure approach Apache took "is a bit unusual."
"The release notes for version 2.5.22 did not include a reference to security fixes being included in the update. As such, we suspect the update faced little scrutiny from researchers until the announcement of the security fixes last week," he said. "Apache did note in their security announcement that the researchers who discovered these vulnerabilities worked with the Apache team on a responsible, coordinated public disclosure."
The Apache Struts vulnerabilities
The RCE vulnerability, according to Tenable's analysis, "is a forced double Object-Graph Navigation Language (OGNL) evaluation vulnerability that occurs when Struts tries to perform an evaluation of raw user input inside of tag attributes. An attacker could exploit this vulnerability by injecting malicious OGNL expressions into an attribute used within an OGNL expression. According to Apache, exploitation of this vulnerability could result in remote code execution (RCE)."
Meanwhile, Tenable said the DoS vulnerability "results from an access permission override during a file upload. According to the S2-060 security bulletin, an attacker may be able to modify a request during a file upload operation in a way that results in the uploaded file set to read-only access. Once the file is uploaded, any further actions on the file will fail. Exploiting this flaw could also result in the failure of any subsequent file upload operations, either of which could result in a denial of service condition for an affected application."
Tenable's post further notes that multiple proof-of-concept exploits have been identified on GitHub for CVE-2019-0230. However, as the cybersecurity company notes, "because each Struts application is unique, the actual payload needed to exploit it will differ from application to application."
It's unclear how many organizations have upgraded to version 2.5.22 already and patched the two Apache Struts vulnerabilities. "Given Apache Struts is well known following a high-profile breach that exploited CVE-2017-5638, we anticipate developers will prioritize applying this update now that the security advisory has been published," Caveza said.
The breach being referenced is the infamous Equifax breach of 2017, which impacted the personal data of over 160 million people across the United States, Great Britain and Canada. According to CISA, CVE-2017-5638 is one of the 10 most exploited vulnerabilities from 2016 to 2019.