Watch Out! Another Nasty Apache Struts Vulnerability Has Been Disclosed!

Here we go again! Today, a brand new Apache Struts vulnerability (CVE 2018-11776) has been disclosed that can result in remote code execution. Sure, the patch is out there, but this one is a CVSSv2 10.0 or “Critical” issue which for many organization this should mean it is a full stop, all hands on deck to get things patched. While full technical details are minimal so far, we have managed to aggregate some useful info for our VulnDB customers.

Even though this issue has just been disclosed, VulnDB already has rated the ‘Social Risk Score’ is as High. This means that based on the already strong social media presence discussing the vulnerability, the odds of active exploitation will be higher than average. You may also notice that we currently classify this as “Exploit Unknown”. In reality, we’re fairly sure that a proof-of-concept exists for this, that was shared with the Apache team as part of the initial disclosure to them. When we see evidence of a public proof-of-concept, a full working exploit, or active exploitation, this will be updated. [8/23 Update: A working exploit was published within 24 hours of disclosure!] An important aspect of vulnerability intelligence is not just getting the information out there quickly, but to keep it updated with the latest details.

It is a shame that we feel the need to blog about yet another critical vulnerability, since every organization should have a reliable vulnerability intelligence feed. Unfortunately, this disclosure reminds us of last year, when Equifax was compromised due to a vulnerability in the same software (dubbed ‘Struts-shock’). We blogged extensively on that incident since it hit the world of vulnerability disclosure and data breaches, our two specialties. Like last year’s vulnerability, the disclosure today is almost identical as far as the severity, software affected, and potential for organizations to get hit hard.

When we say “another critical vulnerability”, we refer to the fact there have been 1,426 vulnerabilities disclosed in 2018 alone, with a CVSSv2 score of 10.0. While many of those scores are simply due to a lack of details and CVSS guidelines that say “score for the worst impact”, many of them are truly critical. Even worse, 500 of those vulnerabilities don’t even have a CVE ID. Organizations relying on CVE or NVD will find themselves hard-pressed to properly manage risk. Fortunately for those organizations, this new Apache Struts vulnerability does have a CVE ID, and MITRE has already opened it up in their database! Unfortunately, NVD has it marked as ‘RECEIVED’ which means it is “has been received by the NVD and has not been analyzed”. Due to their backlog, vulnerabilities in this status can take up to 12 weeks before being “analyzed”, which means NVD assigns CPE and CVSS information to it.

The headlines last year roasted Equifax over the breach because the vulnerability used to compromise them was publicly known for weeks before they patched. It is easy to jump on the bandwagon and hate on Equifax, but it is important to remember that they were just one of 3,813 organizations that suffered a data breach last year as a result of external hacks! This year, our CRA team is already tracking 1,419 breaches due to external hacking.

For organizations who may say “well we don’t use Apache Struts, we’re safe!”, we want to remind you that Apache Struts is a third-party library of sorts and can be found in numerous high-profile products. Last year’s ‘Struts-shock’ vulnerability ended up impacting a wide variety of software including:

  • Atlassian Bamboo, Crowd, and Hipchat
  • Cisco Identity Services Engine, Prime License Manager, MediaSense, SocialMiner, Unified Communications Manager products, and many more.
  • Hitachi HiRDB products
  • IBM Connections, SAN Volume Controller, Storwize products, and more
  • MicroFocus Universal CMDB Foundation
  • Oracle Financial Services products and many more
  • VMware vCenter Server and more

This type of vulnerability is a great reminder that using asset-based inventory for vulnerability tracking, especially in large organizations, is incredibly more efficient than classic vulnerability scans. That approach, leveraging a timely and robust vulnerability intelligence feed, will allow your organization to more quickly respond to threats and manage risk.

Would you like to know more? =)