Two weeks after the Apache Foundation announced a previously unknown vulnerability in the Struts 2 web application framework, two new variations of the same vulnerability have been reported. However, Waratek customers who have applied the Virtual Patch for CVE-2017-5638 are already protected against the newly discovered variations as well as any possible other variation that might be discovered.
According to the latest Struts 2 Security Bulletin (S2-046), it is possible to perform a Remote Command Execution (RCE) attack with a malicious Content-Disposition value or with improper Content-Length header. If the Content-Disposition / Content-Length value is not valid an exception is thrown which is then used to display an error message to a user. This is a different attack vector for the same vulnerability described in S2-045 (CVE-2017-5638).
Waratek customers are protected against Code Injection and RCE attacks by the Waratek Application Security Platform’s standard protections such as Process Forking, Reflection Abuse, Name Space Layout Randomization (NSLR) feature. Waratek has also published a Virtual Patch for CVE-2017-5638 that is the functional equivalent to the physical patch offered by Apache and can be deployed safely on any version of Struts 2 without restart and no required source code or binary changes.
The Waratek Virtual Patch combined with Waratek’s Remote Command Execution mitigation, Reflection Abuse mitigation and NSLR features provides both an active and a reactive protection to the problem and removes the urgency to upgrade users who have customized the Struts 2 code used in web applications.
Companies who have not applied the Waratek Virtual Patch should review any temporary workarounds or security solutions that depend on pattern matching, heuristics, servlet filters, WAF-type protection. Security solutions that base detection on filtering the Content Type header or looking for unusual Content Type values will fail to mitigate the new exploits.
Contact us for more information about the Struts 2 live Virtual Patch.