Avoid package configuration having no or wildcard namespace with Struts2 | CAST Appmarq

Avoid package configuration having no or wildcard namespace with Struts2

CRITICAL

Rule Definition
Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit. A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.

Remediation
This new remote code execution vulnerability affects all supported versions of Apache Struts 2. - Users of Struts 2.3 are strongly advised to upgrade to 2.3.35 - Users of Struts 2.5 need to upgrade to 2.5.17.
Violation Code Sample
For example, the following struts.xml configuration is potentially vulnerable becasue no namespace is specified 

<struts>
  <package> //no namespace is specified
    <action name="a1">
      <result type="redirectAction">
        <param name="actionName">a2.action</param>
      </result>
    </action>
  </package>
</struts>

<struts>
  <constant name="struts.mapper.alwaysSelectFullNamespace" value="true" /> //alwaysSelectFullNamespace set to True
  ...

--------------------

For example, the following struts.xml configuration is potentially vulnerable because a wildcard namespace is used
<struts>
  <package name="mypackage1" namespace="/*"> // wildcard namespace
    <action name="a1">
      <result type="redirectAction">
        <param name="actionName">a2.action</param>
      </result>
    </action>
  </package>
</struts>

<struts>
  <constant name="struts.mapper.alwaysSelectFullNamespace" value="true" /> //alwaysSelectFullNamespace set to True
  ...
Fixed Code Sample
This new remote code execution vulnerability affects all supported versions of Apache Struts 2. 
- Users of Struts 2.3 are strongly advised to upgrade to 2.3.35
- Users of Struts 2.5 need to upgrade to 2.5.17.
Reference
https://cwiki.apache.org/confluence/display/WW/S2-057 https://nvd.nist.gov/vuln/detail/CVE-2018-11776
Related Technologies

Health Factor

  Security

Technical Criterion
CWE-676 - Use of Potentially Dangerous Function

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations
0
Total Opportunities
0
Average Violations / App.
nan
The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Financial Services

100.00%

Insurance

100.00%

Select from drop-down

100.00%

Want more stats? Register now!