Apache Struts 2 Namespace Evaluation Remote Code Execution (CVE-2018-11776 / S2-057)

Today, a new Apache Struts 2 Remote Code Execution vulnerability was announced (S2-057) and CVE-2018-11776 was allocated. At the moment, there is no public Proof of Concept exploit available.

for a Struts 2 application to be vulnerable, its configuration should meet 2 conditions:

The value of the “struts.mapper.alwaysSelectFullNamespace” should be set to true. This means that Struts will consider the “namespace” to be everything before the last slash of the URI.
Action declaration via <action> tag without “namespace” attribute.

When the conditions are met, Struts will try to extract the “namespace” from the request URL by following the next logic:

Example URL: http://struts2app.test/[Servlet Context]/[Namespace]/[Action].action

It was found that if the namespace was extracted from the requested URL, and it contained an Object-Graph Navigation Library (OGNL) expression which is the expression language supported by the Struts framework, in some cases the extracted expression may be evaluated by Struts, which may lead to arbitrary code execution.

Mitigating the vulnerability with BIG-IP ASM

BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing Java code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type or “Java Servlets/JSP” System.

Edit: We have released additional, more generic signatures to cover OGNL / JSP expressions injection attempts in the URL:

200004474 - JSP Expression Language Expression Injection (3) (URI)

200004475 - Object Graph Navigation Library Expression Injection (2) (URI

Edit: Proof of Concept exploit for this vulnerability is now publicly available. The exploit can be mitigated by the following signatures: