Attacker Value
High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2018-11776

Disclosure Date: August 22, 2018
CVE-2018-11776
Exploited in the Wild
Reported by gwillcox-r7
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn’t have value and action set and in same time, its upper package have no or wildcard namespace.

Add Assessment

3
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Common in enterpriseDifficult to patchEasy to weaponizeUnauthenticated
Technical Analysis

This vulnerability exists within the Apache Struts OGNL method dispatch routine. An attacker can submit a specially crafted HTTP request to a vulnerable web server. Specifically an attacker can taint the name parameter passed to OgnlUtil::getValue().

Exploitation of this vulnerability would lead to code execution within the context of the Java process powering the server. An indicator of compromise will be present in the logs at the DEBUG level. This IOC will look like a malformed value in the Executing action method = message.

The default configuration is not vulnerable. The alwaysSelectFullNamespace option must be enabled. This can be done by adding <constant name="struts.mapper.alwaysSelectFullNamespace" value="true" /> to the struts.xml configuration file.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Apache Struts 2.3 to 2.3.34
Apache Struts 2.5 to 2.5.16
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
exploit/multi/http/struts2_namespace_ognl
Reporter
Unknown

Vendors

  • apache

Products

  • struts

Exploited in the Wild

Reported by:

References

Canonical
CVE-2018-11776 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776)
BID-105125 (http://www.securityfocus.com/bid/105125)
Advisory
SECTRACK-1041888 (http://www.securitytracker.com/id/1041888)
EXPLOIT-DB-45367 (https://www.exploit-db.com/exploits/45367)
EXPLOIT-DB-45262 (https://www.exploit-db.com/exploits/45262)
SECTRACK-1041547 (http://www.securitytracker.com/id/1041547)
EXPLOIT-DB-45260 (https://www.exploit-db.com/exploits/45260)
[announce] 20200131 Apache Software Foundation Security Report: 2019 (https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E)
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://security.netapp.com/advisory/ntap-20181018-0002
https://cwiki.apache.org/confluence/display/WW/S2-057
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012
http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html
https://security.netapp.com/advisory/ntap-20180822-0001
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txt
EXPLOIT-DB-45367 (https://www.exploit-db.com/exploits/45367/)
EXPLOIT-DB-45262 (https://www.exploit-db.com/exploits/45262/)
EXPLOIT-DB-45260 (https://www.exploit-db.com/exploits/45260/)
https://security.netapp.com/advisory/ntap-20181018-0002/
https://security.netapp.com/advisory/ntap-20180822-0001/
Miscellaneous
https://www.oracle.com/security-alerts/cpujul2020.html
https://lgtm.com/blog/apache_struts_CVE-2018-11776
https://github.com/hook-s3c/CVE-2018-11776-Python-PoC
http://packetstormsecurity.com/files/172830/Apache-Struts-Remote-Code-Execution.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis