1. Introduction
The Apache Struts 2.3.x Struts 1 plugin contains a remote code execution vulnerability, allowing an attacker to execute arbitrary code on affected servers. This impacts businesses by potentially compromising server confidentiality, integrity, and availability. Web applications using the vulnerable Java framework are typically affected. A successful exploit could lead to complete system takeover.
2. Technical Explanation
The vulnerability in the Struts 1 plugin allows remote code execution via a malicious field value passed within an ActionMessage object. An attacker can inject code into this message, which is then executed by the server when processing the request. The vulnerability exists because of insufficient validation of user-supplied data. CVE-2017-9791 describes this issue.
- Root cause: Lack of proper input validation on ActionMessage objects within the Struts 1 plugin.
- Exploit mechanism: An attacker sends a crafted HTTP request containing a malicious payload in an ActionMessage field, triggering remote code execution. For example, sending a specially formatted form submission with a harmful OGNL expression.
- Scope: Apache Struts 2.3.x using the Struts 1 plugin is affected.
3. Detection and Assessment
To confirm vulnerability, check your Struts version and identify if the Struts 1 plugin is in use. A thorough method involves reviewing application dependencies for vulnerable libraries.
- Quick checks: Check the struts.xml file for references to the Struts 1 plugin or related classes.
- Scanning: Nessus, OpenVAS, and other vulnerability scanners may identify this issue using signature ID 99484 (SecurityFocus BID). Note that scanner results should be verified.
- Logs and evidence: Look for suspicious activity in application logs related to ActionMessage processing or OGNL expression evaluation.
grep -r "Struts1Validator" /path/to/webapp 4. Solution / Remediation Steps
Apply the mitigation options recommended by Apache in s2-048. This may involve upgrading Struts, removing the plugin, or applying specific patches.
4.1 Preparation
4.2 Implementation
- Step 1: Refer to http://struts.apache.org/docs/s2-048.html and determine the appropriate mitigation strategy for your environment.
- Step 2: If possible, upgrade to a newer version of Struts that does not have this vulnerability.
- Step 3: Alternatively, remove the Struts 1 plugin if it is not required by your application.
4.3 Config or Code Example
Before
<plugin name="struts1" className="org.apache.struts1.Struts1Plugin"/>After
4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this type of vulnerability. Least privilege reduces impact if exploited, and input validation blocks unsafe data.
- Practice 1: Implement least privilege principles for application accounts. Limit the permissions granted to the web application user to reduce the potential damage from a successful exploit.
- Practice 2: Enforce strict input validation on all user-supplied data, including form submissions and API requests. Sanitize or reject any input that does not conform to expected formats.
4.5 Automation (Optional)
# Example Bash script to remove Struts1Plugin configuration from struts.xml
find /path/to/webapps -name "struts.xml" -exec sed -i '/struts1/d' {} ;
5. Verification / Validation
Confirm the fix by verifying that the Struts 1 plugin is no longer loaded and re-running the earlier detection methods. Perform a smoke test to ensure core application functionality remains intact.
- Post-fix check: Verify that the `struts1` plugin configuration line has been removed from all struts.xml files.
- Re-test: Re-run the grep command from Step 3 in Detection and Assessment; it should return no results.
- Smoke test: Test key application features, such as user login, data submission, and report generation, to ensure they are functioning correctly.
- Monitoring: Monitor application logs for any errors related to Struts or ActionMessage processing.
grep -r "Struts1Validator" /path/to/webapp 6. Preventive Measures and Monitoring
Update security baselines to include this vulnerability, and add checks in CI pipelines to prevent similar issues. A sensible patch or config review cycle fits the risk.
- Baselines: Update your security baseline or policy to require regular patching of Java frameworks like Struts. Consider using a CIS control for Java web application security.
- Asset and patch process: Implement a regular patch review cycle for all critical software components, including Java frameworks.
7. Risks, Side Effects, and Roll Back
Removing the Struts 1 plugin may break application functionality if it is still in use. Restore from backup or revert configuration changes to roll back.
- Roll back: 1) Restore the original struts.xml file from backup. 2) Restart the web application server.
8. References and Resources
- Vendor advisory or bulletin: http://struts.apache.org/docs/s2-048.html
- NVD or CVE entry: CVE-2017-9791
- Product or platform documentation relevant to the fix: https://cwiki.apache.org/confluence/display/WW/S2-048