Struts is a well known framework which is used in Apache Webservers. Struts and Struts2 has a list of bugs which includes severe P1 bugs like Remote Code Execution.
Last year in 2017, Two critical remote code execution bugs were discovered on Apache Struts2 framework. These bugs scored a severity score of 10/10 as it resulted in whole server companies.
To the fact, during the time of disclosure of this flaw, more than 25% of fortune 500 companies were using this framework alongside with apache server.
Apache is the most used Webserver today with a decreasing user ratio and nginx is the second most used Webserver with increasing user ratio.
CVE-2018-11776 Remote Code Execution:
This year, in April 2018, Man Yue Mo of Semmle Security Research Team discovered this vulnerability and immediately reported this to Apache. According to his blog post, he disclosed that the attack can be triggered by a crafted URL.
The vulnerability was assigned with CVE-2018-11776. The vulnerability targets Struts 2.3 to Struts 2.3.34 and Struts 2.5 to Struts 2.5.16. All the users who are using one of the above listed versions are strictly adviced to update to version 2.3.35 or 2.5.17.
Merely, every struts using application is vulnerable to this attack. According to the founder of this vulnerability, he described that he made use of QL language developed by Semmle to discover this flaw.
QL is an Object oriented query language similar to SQL which is used to extract data from the Databases. The researcher disclosed that he used the previously disclosed vulnerabilities on Struts to gain more knowledge about internal working of Struts.
He used QL queries to encapsulate Struts-specific concepts which helped him in uncovering the Problematic code due to which he was able to successfully exploit the attack.
The researcher had made of the Queries that can be found here.
In the previously reported Struts vulnerabilities, most of them are caused due to remote inputs being passed as OGNL. By learning from the previous reports, Man Yue Mo decided to use OgnlUtil::compileAndExecute() and OgnlUtl::compileAndExecuteMethod() in QL.
To know more about the technical details of the vulnerability, visit here.