SECURITY INFLUENCERS BLOG

Security influencers provide real-world insight and “in-the-trenches” experiences on topics ranging from application security to DevOps and risk management

START FREE TRIAL

Contrast Labs: Apache Struts CVE-2019-0230 and How to Block Attacks

Note: Special thanks to Alvaro Muñoz (https://twitter.com/pwntester) for correcting us on some very important technical facts in our original copy of this blog.

On August 13, 2020, Apache published a security bulletin that addressed a couple of application vulnerabilities in Struts 2, which included CVE-2019-0230. At the same time, proof-of-concept (POC) exploit code was released on GitHub. CVE-2019-0230 is a forced double Object-Graph Navigation Language (OGNL) evaluation vulnerability that potentially allows an attacker to run arbitrary commands on a remote server. Being able to upload files is required in order to exploit the vulnerability. Struts versions 2.0.0 through 2.5.20 are affected. Contrast Labs was able to reproduce the POC and confirm that our latest Java agent (3.7.7.16256) will block the attack.

The good news is that Contrast Protect customers are protected from this vulnerability being exploited.

What Does the Exploit of CVE-2019-0230 Look Like?

To confirm the vulnerability, Contrast Labs utilized the POC code from GitHub on Tomcat 7.0.99. The exploit relies on crafting an OGNL payload into a Struts action field that is subsequently rendered into the id attribute of a Struts a tag.

CVE-2019-0230 

An example payload HTTP request body is provided below:

payload-HTTP-request-body

After running the payload against the test Struts action, Contrast Labs was able to launch the calculator application from a system command. Launching the calculator application showed that we could run code on the local system, thus confirming remote code execution.

remote-code-execution-1

How to Confirm That the CVE Has Been Fixed      

As of the publication of this blog post, the vulnerable versions of Apache Struts 2 have been fixed. Anyone running a vulnerable version (2.0.0 through 2.5.20) should upgrade to version 2.5.22.

How Does Contrast Protect Block CVE-2019-0230 Attacks?     

Contrast Protect is equipped for out-of-the-box deployment without configuration to detect and block the Apache Struts 2 OGNL Injection vulnerability. To show how this works, Contrast Labs’ internal security researchers ran the above-referenced POC and added the Contrast Protect Java agent by simply modifying the CATALINA_OPTS environment (export CATALINA_OPTS="$CATALINA_OPTS -javaagent:contrast.jar"). Once we had the Contrast Protect agent running in block mode, we ran the exploit and saw the following:

Protect-block-mode-1

Readers will notice that it was much different than when the exploit was successful. We noticed very quickly that the calculator application was not run. Finally, we browsed to the Contrast Protect UI and saw the detected and blocked attack:

protect-block-image-1

Contrast customers are actively protected from this exploit if Contrast Protect is enabled, and blocking mode is enabled for Expression Language and OGNL Injection. If monitoring mode is enabled, the attack will be detected but not blocked. Applications should be upgraded to 2.5.22 to address the vulnerable code.

To enable the block mode on OGNL Injection, users need to navigate in the Contrast Protect user interface to “Policy Management” -> “Protect Rules” -> “OGNL Injection.” At that point, users need to verify the environment running their vulnerable instance is in “block” mode.

protect-vulnerability-detection-1

Useful References on Apache Struts OGNL            

For readers seeking more information on the Apache Struts OGNL vulnerability, the following links are useful:

  • Apache Wiki: Click here
  • GitHub: Click here 

Readers without Contrast Protect can get more information by downloading a copy of our solution brief, “Contrast Protect with Runtime Application Self-Protection (RASP).”

Dan Amodio, Security Researcher

Dan Amodio, Security Researcher

Dan grew up tinkering with computers and learning about hacking and programming, and he somehow made a career out of it. He has worked on information security issues—from application security to red teaming—with some of the largest companies across the globe. Outside work he enjoys music, games, and family time.

SUBSCRIBE TO THE BLOG