On Wednesday, August 22nd, the Apache team patched another vulnerability in the Apache Struts2 framework. Apache Struts is an open-source web application framework for developing Java web applications. The vulnerability exists when these conditions are met:
- The alwaysSelectFullNamespace flag setting is set to true in the Struts configuration.
- The Struts configuration file contains an <action ...> tag that does not specify either the optional namespace attribute or a wildcard namespace.
The impacted versions are Struts 2.3 - Struts 2.3.34 and Struts 2.5 - Struts 2.5.16 of the Apache Struts framework. If you are currently running an affected version, malicious users could execute code on the system remotely by injecting a custom namespace parameter via HTTP request. The user supplied value of that parameter is not sufficiently validated by the Struts framework. Successful exploitation does not require the user to be authenticated. Apache has classified the vulnerability as a "possible remote code execution"; however, the vulnerability is easy to exploit and allows code to be executed using the user context of the account running the Tomcat server. Multiple working exploits have been publicly disclosed.
For more detailed information on the vulnerability, please refer to Apache's advisory:
Exploits are publicly available and successful exploitation of this vulnerability has been observed in the wild.
What you can do now
Apache indicates that upgrading Apache Struts to version 2.3.35 or Struts 2.5.17 will fix the current vulnerability. Apache recommends that users, "Verify that you have set (and always not forgot to set) namespace (if is applicable) for your all defined results in underlying configurations. Also verify that you have set (and always not forgot to set) value or action for all url tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace."
How Akamai protects you
Kona Site Defender (KSD) customers can enable Kona Rule Set (KRS) Rule 3000014 which has been updated to provide protection from exploitation of this vulnerability. A KRS upgrade is not required.
Web Application Protector (WAP) Command Injection (CMDi) protection group has been updated to provide protection from exploitation of this vulnerability
For both KSD and WAP, it is recommended to put the rule and protection group respectively in DENY mode.
If you have any questions about these rules, do not hesitate to reach out to your account manager or professional services contact for clarification.
You may be at risk if your site utilizes Apache's Struts2 framework. This includes sites that rely on third-party inclusions from sites that use Struts applications. If you're using Struts2 for any aspect of your web presence and want to know more, Apache has disclosed the details of vulnerability here: https://cwiki.apache.org/confluence/display/WW/S2-045
System administrators and owners should protect and patch any vulnerable Struts instances as soon as possible, as described above. This vulnerability is easy to exploit and attempts at doing so have risen dramatically in the past few hours.