Newly discovered Struts 2 flaw has existed for more than four years
DUBLIN and ATLANTA – March 9th, 2017 – Waratek, the virtualization-based application security company, is offering a Virtual Patch for customers to address a new high severity vulnerability announced this week that exposes organizations using the Struts 2 framework to any general code injection attack. The Waratek solution fully remediates this vulnerability with a virtual patch that can be live-updated without taking affected applications out of production.
“Struts 2 users need to take immediate action. Applying the binary patch offered by Apache requires some application downtime,” noted John Matthew Holt, Waratek’s Founder and CTO. “For users who have made custom changes on Struts source code, it could take days or weeks to upgrade. A virtual patch can be applied immediately while the application continues to run – with no code changes and without restarting the application.”
The Apache Foundation announced the new vulnerability – CVE-2017-5638 – on Monday, March 6th and the first attacks exploiting the new vulnerability have already been reported. First introduced in Struts 2.3.5 released in October 2012, the vulnerability has been available for Zero Day exploits for more than four years.
Even prior to the announcement of the vulnerability, Waratek’s core functionality protected against Proof-Of-Concept (POC) exploits of CVE-2017-5638 that perform remote-command execution. The new virtual patch is a specific one-line security rule that fully remediates this vulnerability and was developed in less than one-day after the vulnerability was announced.
“This is a critical vulnerability because the attack can be achieved without authentication, and web applications don’t necessarily need to successfully upload a malicious file to exploit this vulnerability,” advises Holt. “Just the presence of the vulnerable Struts library within an application is enough to exploit the vulnerability.”
Struts is an open source framework from the Apache Foundation used for web application development. Struts users include large-scale Internet companies, government, financial institutions and other enterprises around the world.
Waratek has received the 2017 Cyber Defense Magazine INFOSEC Leader Award for Application Security, was named 2016’s Best Application Security Solution by Government Security News and is the winner of the 2015 RSA Innovation Sandbox Award. JavaWorld notes that “Waratek is the only vendor that can boast of a large-scale production deployment with a Tier 1 global investment bank, the most significant deployment of (runtime protection) that exists for Java technology today.”
Waratek is based in Atlanta, Georgia and Dublin, Ireland. For more information visit www.waratek.com.