The purpose of this bulletin is to bring attention to a recently disclosed CRITICAL risk vulnerability present in the open-source web application framework, Apache Struts.
As the vulnerability allows Threat Actors to perform unauthenticated Remote Code Execution (RCE), the Triskele Labs team advises that all organisations using this system should follow the remediation steps outlined in the subsequent sections.
This vulnerability has been assigned a Common Vulnerability Scoring System (CVSS) rating of 9.8/10.
Multiple entities have observed global exploitation of this vulnerability in the wild, including the Australian Cyber Security Centre (ACSC). A Proof-of-Concept (POC) demonstration has been released, which significantly decreases the exploitation complexity for Threat Actors and significantly increases the risk associated with the Apache Struts framework at this time.
On December 7th, 2023, the Apache Foundation published a vulnerability disclosure impacting several versions of the Apache Struts 2 web framework as listed below.
Struts 2.3.37 (End Of Life)
Struts 2.5.0 –> Struts 2.5.32
Struts 6.0.0 –> Struts 188.8.131.52
The identified vulnerability leverages a path traversal attack vector to initiate Remote Code Execution (RCE) or upload potentially malicious files on the target server. These attack paths could be used for data exfiltration, data encryption, or network traversal. Cisco has also published an advisory for this vulnerability indicating that it may be present in some of their products and that they are actively investigating its impact. A Proof-of-Concept has also been released for exploiting this vulnerability.
Due to the criticality of this vulnerability and its active exploitation, servers using the Apache Struts Framework should be treated as an optimal target for a Threat Actor and patched as a priority for the business, to prevent exfiltration of data and leakage of Personally Identifiable Information (PII), and other sensitive data.
Furthermore, Triskele Labs recommends conducting a Threat Hunt on these servers to identify any Indicators of Compromise (IOCs) in case the vulnerability has already been exploited prior to patching, given the active exploitation status of this vulnerability. If the server has been exploited, patching will not remove persistence mechanisms put in place by a Threat Actor, such as web shells.
If you are utilising an instance of Apache Struts listed as impacted by this vulnerability, Triskele Labs recommends immediately applying the latest security patch.
In addition, Triskele Labs recommends reviewing the server logs for unusual activity such as newly created files outside of their usual locations, as this could indicate webshell creation, which would allow a Threat Actor to perform RCE.
If unsure how to recognise webshell creation, reach out to Triskele Labs for assistance.
Triskele Labs is able to run targeted scans on servers running Apache Struts to identify impacted environments. If you are unsure if your products are vulnerable, please reach out. Several vulnerability scanning solutions have implemented detection signatures for this vulnerability.
Organisations can check their Apache Struts instance for version information using the following directions provided by the ACSC:
The presence of the following files inside of Tomcat subdirectories may help identify if Struts is configured, where X denotes the version currently in use.
Triskele Labs DefenceShield customers with the Assess service (Vulnerability Scanning) are being assessed currently. All customers with the Monitor service (24x7x365 SIEM) are - as always - being monitored for IOCs and any other suspicious activity.
References used for the generation of this release: