Attackers actively exploiting Apache Struts Vulnerability
What is Apache Struts?
What is MVC Framework?
- Model represents data.
- View displays model data & sends user actions to controller.
- Controller interprets user input and converts it to commands for the Model\ View.
How to configure Struts?:
Actions are accessed using Request-URIs as below:
Is it Vulnerable?:
Flag alwaysSelectFullNamespace is set to true in the Struts configuration. Note that this is set to True if your application uses the popular Struts Convention plugin.
Application uses actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. “/*”). This applies to actions and namespaces specified in the Struts configuration file, but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin.
How to exploit?
OGNL is the exploit payload here. OGNL (Object-Graph Navigation Language) is an open-source Expression Language (EL) for Java, which, while using simpler expressions than the full range of those supported by the Java language, allows getting and setting properties, and execution of methods of Java classes.
SonicWall has observed a huge spike in detection in the last few days. Some of our Apache OGNL signatures has provided protection to our customers even before public disclosure has been made.
Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:
- IPS 9955: Apache Struts OGNL Wildcard Remote Code Execution 1
- IPS 8479: Apache Struts OGNL Wildcard Remote Code Execution 2
- IPS 13574: Apache Struts OGNL Wildcard Remote Code Execution 3
- IPS 13575: Apache Struts OGNL Wildcard Remote Code Execution 4
- IPS 13576: Apache Struts OGNL Wildcard Remote Code Execution 5
- WAF 1681: EXEC Statement (Possible SQL Injection)
- WAF 9011: System Command Injection Variant 1
- WAF 9010: System Command Access