Attacker Value
High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2018-11776

Disclosure Date: August 22, 2018
Add any MITRE ATT&CK Tactics to the list below that apply to this CVE.

Description

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn’t have value and action set and in same time, its upper package have no or wildcard namespace.

Add Assessment

3
Ratings
Technical Analysis

This vulnerability exists within the Apache Struts OGNL method dispatch routine. An attacker can submit a specially crafted HTTP request to a vulnerable web server. Specifically an attacker can taint the name parameter passed to OgnlUtil::getValue().

Exploitation of this vulnerability would lead to code execution within the context of the Java process powering the server. An indicator of compromise will be present in the logs at the DEBUG level. This IOC will look like a malformed value in the Executing action method = message.

The default configuration is not vulnerable. The alwaysSelectFullNamespace option must be enabled. This can be done by adding <constant name="struts.mapper.alwaysSelectFullNamespace" value="true" /> to the struts.xml configuration file.

General Information

Vendors

  • Apache Software Foundation

Products

  • Apache Struts
Technical Analysis