Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Cyber Security Group

Emerging Threat: Apache Struts Zero-Day (CVE-2014-0050, 0094) DoS and Remote Code Execution Vulnerability

Created: 28 Apr 2014 • Updated: 03 Jun 2014
MSS Global Threat Response's picture
+1 1 Vote
Login to vote

Emerging Threat:  Apache Struts Zero-Day (CVE-2014-0050, 0094) DoS and Remote Code Execution Vulnerability

 

EXECUTIVE SUMMARY:

On April 24, 2014, the Apache Software Foundation (ASF) (http://www.apache.org) released an advisory warning that a patch issued in March for a zero-day vulnerability in Apache Struts up to version 2.3.16.1, did not fully patch the vulnerability, which may result in Remote Code Execution via ClassLoader manipulation (CVE-2014-0094), or DoS attacks (CVE-2014-0050).

[Apache] Struts is an extensible framework used for creating enterprise Java Web applications.

According to Apache, in Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved [on March 2]. Unfortunately, the correction (Apache Struts Security Bulletin S2-020) was not sufficient.  A security fix release fully addressing this issue is in preparation and will be released as soon as possible [likely within 72 hours as per the Apache Struts team].

Once the release is available, all [Apache] Struts 2 users are strongly recommended to update their installations.

 

THREAT TECHNICAL DETAILS:

In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately, the correction was not sufficient.  A security fix release fully addressing this issue is in preparation and will be released as soon as possible.

The default upload mechanism in Apache Struts 2 is based on Commons FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader manipulation.

 

2 March 2014 - Struts 2.3.16.1 General Availability Release - Security Fix Release

The Apache Struts group is pleased to announce that Struts 2.3.15.2 is available as a "General Availability" release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.

The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

Two security issues were solved with this release:

S2-020 ClassLoader manipulation via request parameters

S2-020 Commons FileUpload library was upgraded to version 1.3.1 to prevent DoS attacks

All developers are strongly advised to perform this action.

 

Until the release is available, all Struts 2 users are strongly recommended to apply the mitigation workaround located here:

Please follow the Apache Struts Announcements to stay updated regarding the upcoming security release. Most likely the release will be available within the next 72 hours. Please prepare for upgrading all Struts 2 based production systems to the new release version once available.

 

IMPACT:

  • Remote Code Execution via ClassLoader manipulation, and DoS attacks

 

AFFECTED SOFTWARE:

  • Apache Struts 2.0.0 - 2.3.16.1

 

SYMANTEC MSS SOC DETECTION CAPABILITIES:

For customers with our IDS/IPS Security Management services, vendor-based signatures will be automatically deployed, as per the vendor’s recommendation.  If you would like further information regarding the signature states on your devices, or would like to request the activation of a specific signature, we can be reached by requesting help via phone, e-mail, or visiting the MSS portal at https://mss.symantec.com.

For customers with monitor-only IDS/IPS devices, Symantec MSS stands ready to provide security monitoring once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices.

Vendor Detection

  • Fortinet
  • ISS
  • Nitro IDS
  • Palo Alto
  • Snort/Emerging Threats (ET)
  • Snort/SourceFire VRT

This list of detection capabilities represents a snapshot of current detection.  Symantec MSS stands ready to provide security monitoring once additional vendors or additional detection is identified and enabled on your monitored devices.  As threats evolve, detection capabilities for those threats can and will evolve increase as well.

 

MITIGATION STRATEGIES:

  • Until the updated release is available, all Struts 2 users are strongly recommended to apply the following mitigation:  http://struts.apache.org/announce.html#a20140424
  • Please follow the Apache Struts Announcements to stay updated regarding the upcoming security release. Most likely the release will be available within the next 72 hours.
  • Please prepare for upgrading all Struts 2 based production systems to the new release version once available.
  • Symantec recommends customers use a layered approach to securing their environment, utilizing the latest Symantec technologies, including enterprise-wide security monitoring from Edge to Endpoint.
  • Discuss DoS/DDoS mitigation strategies with your upstream provider and ensure they are aware of this threat.
  • Ensure your IT and IT Security staff are prepared and know what they need to do in the event of attack.
  • Ensure all operating systems, kernels, and installed software have the latest security patches and antivirus definitions.
  • Ensure all web servers are patched, configured to minimize the impact of DoS/DDoS attacks, and hardened against external threats.
  • Utilize Web Application Firewalls as a front-line defense against attacks.
  • Remove unnecessary software and disable unnecessary services to reduce the attack surface.
  • Utilize a firewall such as IPtables and utilize TCPWrappers, block all unnecessary network connections and services, only allowing connections and services you need.
  • Encrypt transmitted data whenever possible with passwords or using keys/certificates.
  • Disallow root login via SSH, instead login as a normal user and su to root if necessary.  Adjust the sshd_config to only allow SSH version 2.
  • To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
  • Deploy network intrusion detection systems to monitor network traffic for malicious activity.
  • Memory-protection schemes (such as non-executable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.
  • Symantec encourages users to apply all relevant patches when they are available.

 

REFERENCES:

  • Apache Software Foundation - Struts Announcements - 24 April 2014 - Struts 2.0.0 to 2.3.16.1: Zero-Day Exploit Mitigation
  • Apache Struts Security Bulletin S2-020 (For March 2 original patch)
  • Apache Commons - Apache Commons FileUpload
  • SANS InfoSec Handlers Diary Blog - Apache Struts Zero Day and Mitigation
  • ThreatPost - Apache Warns of Faulty Zero Day Patch for Struts

 

Update #1

A patch has been released to fix this vulnerability:

24 April 2014 - Struts 2.3.16.2 General Availability Release - Security Fix Release

The Apache Struts group is pleased to announce that Struts 2.3.16.2 is available as a "General Availability" release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

Two security issues were solved with this release:

  • S2-021  Improves excluded params to avoid ClassLoader manipulation via ParametersInterceptor
  • S2-021  Adds excluded params to CookieInterceptor to avoid ClassLoader manipulation when the interceptors is configured to accept all cookie names (wildcard matching via "*")