Apache Struts 2 is critical component or an extensible framework used for creating enterprise Java Web applications that helps developers to build websites using Java technology and already powers billions of web servers worldwide, including government, banking and corporate websites. A serious flow is found, named S2-020. As a flow it allowed hackers to steal data stored on web servers. The data may be passwords, sensitive information, credit/debit card details etc..

Last week Apache released a advisory warning that a patch issued in March for a zero-day vulnerability in Apache Struts up to version 2.3.16.1, did not fully patch the vulnerability, which may result in Remote Code Execution via ClassLoader manipulation (CVE-2014-0094), or DoS attacks (CVE-2014-0050).

According to Apache, in Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved [on March 2]. Unfortunately, the correction was not sufficient. Once the release is available, all Struts 2 users are strongly recommended to update their installations.

Impact:Remote Code Execution via ClassLoader manipulation, and DoS attacks

Affected Software: Apache Struts 2.0.0 – 2.3.16.1

Security Fix Release: Two security issues were solved with this release, All developers are strongly advised to perform this action.

  1. S2-020 ClassLoader manipulation via request parameters
  2. S2-020 Commons FileUpload library was upgraded to version 1.3.1 to prevent DoS attacks

Until the release is available, all Struts 2 users are strongly recommended to apply the mitigation workaround, As found here.

MITIGATION STRATEGIES:

  • Please prepare for upgrading all Struts 2 based production systems to the new release version once available.
  • Discuss DoS/DDoS mitigation strategies with your upstream provider and ensure they are aware of this threat.
  • Ensure your IT and IT Security staff are prepared and know what they need to do in the event of attack.
  • Ensure all operating systems, kernels, and installed software have the latest security patches and antivirus definitions.
  • Ensure all web servers are patched, configured to minimize the impact of DoS/DDoS attacks, and hardened against external threats.
  • Utilize Web Application Firewalls as a front-line defense against attacks.
  • Remove unnecessary software and disable unnecessary services to reduce the attack surface.
  • Utilize a firewall such as IPtables and utilize TCPWrappers, block all unnecessary network connections and services, only allowing connections and services you need.
  • Encrypt transmitted data whenever possible with passwords or using keys/certificates.
  • Disallow root login via SSH, instead login as a normal user and su to root if necessary.  Adjust the sshd_config to only allow SSH version 2.
  • To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
  • Deploy network intrusion detection systems to monitor network traffic for malicious activity.
  • Memory-protection schemes (such as non-executable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.
Reference: Apache Software Foundation, Symantec.