Contrast Labs: Apache Struts CVE-2019-0230 and How to Block Attacks

On August 13, 2020, Apache published a security bulletin that addressed a couple of application vulnerabilities in Struts 2, which included CVE-2019-0230. At the same time, proof-of-concept (POC) exploit code was released on GitHub. CVE-2019-0230 is a forced double Object-Graph Navigation Language (OGNL) evaluation vulnerability that potentially allows an attacker to run arbitrary commands on a remote server. Being able to upload files is required in order to exploit the vulnerability. Struts versions 2.0.0 through 2.5.20 are affected. Contrast Labs was able to reproduce the POC and confirm that our latest Java agent (3.7.7.16256) will block the attack.

The good news is that Contrast Protect customers are protected from this vulnerability being exploited.

What Does the Exploit of CVE-2019-0230 Look Like?

To confirm the vulnerability, Contrast Labs utilized the POC code from GitHub, along with the Struts 2.3.12 Showcase on Tomcat 7.0.99 since it includes a file upload example.

file-upload-example

The exploit relies on crafting an OGNL payload into the filename parameter of the multipart upload request. An example payload HTTP request body is provided below:

OGNL-exploit

After running the payload against the file upload action, Contrast Labs was able to launch the calculator application from a system command. Launching the calculator application showed that we could run code on the local system, thus confirming remote code execution.

remote-code-execution

How to Confirm That the CVE Has Been Fixed      

As of the publication of this blog post, the vulnerable versions of Apache Struts 2 have been fixed. Anyone running a vulnerable version (2.0.0 through 2.5.20) should upgrade to version      2.5.22.

How Does Contrast Protect Block CVE-2020-9484 Attacks?      

Contrast Protect is equipped for out-of-the-box deployment without configuration to detect and block the Apache Struts 2 OGNL Injection vulnerability. To show how this works, Contrast Labs’ internal security researchers ran the above-referenced POC against the Showcase application and added the Contrast Protect Java agent by simply modifying the CATALINA_OPTS environment (export CATALINA_OPTS=”$CATALINA_OPTS -javaagent:contrast.jar”). Once we had the Contrast Protect agent running in block mode, we ran the exploit and saw the following:

Protest-block-mode

Readers will notice that it was much different than when the exploit was successful. We noticed very quickly that the calculator application was not run. Finally, we browsed to the Contrast Protect UI and saw the detected and blocked attack:

protect-block-image

We were also able to see what the stack trace looks like at the point of vulnerability:

protect-vulnerability-detection

Contrast customers are actively protected from this exploit if Contrast Protect is enabled, and blocking mode is enabled for Expression Language and OGNL Injection. If monitoring mode is enabled, the attack will be detected but not blocked. Applications should be upgraded to 2.5.22 to address the vulnerable code. 

To enable the block mode on OGNL Injection, users need to navigate in the Contrast Protect user interface to “Policy Management” -> “Protect Rules” -> “OGNL Injection.” At that point, users need to verify the environment running their vulnerable instance is in “block” mode.

ognl-injection-2

Useful References on Apache Struts OGNL    

For readers seeking more information on the Apache Struts OGNL vulnerability, the following links are useful:

  • Apache Wiki: Click here
  • GitHub: Click here
  • Maven Repo: Click here

Readers without Contrast Protect can get more information by downloading a copy of our solution brief,Contrast Protect with Runtime Application Self-Protection (RASP).”

*** This is a Security Bloggers Network syndicated blog from Security Influencers Blog authored by Dan Amodio, Security Researcher. Read the original post at: https://www.contrastsecurity.com/security-influencers/apache-struts-cve-2019-0230