Now today’s article is gonna be a little more advanced. Today we are going to discuss about apache struts 2 and the vulnerability found in it. This vulnerability was found in 2017, but most of us don’t know about this apache’s service. So, I am going to give you a brief about this service.
Apache and Struts 2
The Apache HTTP Server, colloquially called Apache, is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. Apache is developed and maintained by an open community of developers under the auspices of the Apache Software Foundation. Now the apache community started a service i.e. Apache Struts 2 (square).
Apache Struts 2 became an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller architecture. Also, Struts 2 has a history of critical security bugs, many tied to its use of OGNL technology; some vulnerabilities can lead to arbitrary code execution on the remote end.
The vulnerability, CVE-2017–5638, located in the Jakarta Multipart parser(file upload system in Apache Struts 2), allows unauthenticated attackers to run arbitrary remote code on a vulnerable server by uploading malicious code script. An attacker can exploit the flaw by sending an invalid value that causes the software to throw an exception. Instead of merely displaying the cause of the exception, the code that was added by the attacker in the request gets executed.
This means an attacker can send a faulty code sample to the vulnerable application. When the framework then tries to display the error, the code added by the attacker is executed as the system user running the framework. As such, systems that run the framework as a super user will suffer more from a successful exploit.
History and Reasons
Now not only struts2, but also previous versions of struts were the same. Why is it so vulnerable? I mean apache is a world wide used web server software. Then, why did this become so vulnerable i.e. could not focus a little on their security for others? Well first of all it is open source i.e. you can use it for free, so for technical maintenance the developers doesn’t have much capital to spend. Secondly, to give it’s functionality such wide range of customizations and making it run on a normal pc, many levels of security has been disabled. Thus you don’t expect much security.
Then are the companies safe, that run apache on there main servers?
Well technically, nothing is secure, everything has a vulnerability in it. You just need to be sharp enough to get into that system. Also, what companies do is, they hire are keep a team of developers and security analyst, that patch/edit almost all the open services and make a custom installation on there server in production, before deploying there web server on-line. So they are secure as per there launch, but eventually, if found any bugs, those get reported by bug hunters and patched before anyone else could get to it. In the worst case, if that vulnerability/bug get into hands of bad guys, then comes the real hack, that flashes on all the news channel, telling biggest data breach of the century(if you know which breach I am talking about).
Nothing much, just want to tell you that struts is a fairly bad service by apache (no offense). Even if it provides you some handy tools to make your work easier. Don’t forget there is always an alternate to everything, because if it ain’t there… Congratulations!! You just found a new startup idea ;)