TECHNICAL ALERT 20170708
New Severe Apache Struts 2 Vulnerability Found (CVE-2017-9791)
Waratek Customers are Already Protected
A new “severe” rated vulnerability (CVE-2017-9791) in the popular Apache Struts 2 Framework was reported on Friday, July 7, 2017. Within hours of the vulnerability’s disclosure, several public proof-of-concept exploits [1] [2] became available that make the exploitation easy to execute.
Background
According to the Struts 2 Security Bulletin (S2-048) and an official Apache Struts announcement, it is possible to perform arbitrary Remote Code Execution attacks by specially crafted HTTP requests when using the Struts 2 Struts 1 plugin. Note that applications using Struts 2.5.0 and above are not affected by this vulnerability. As of this time, Apache has not published a public patch for the affected versions of Struts and recommends developers refactor their code.
Action Required
Waratek customers are protected against Code Injection and RCE attacks by the Waratek Application Security Platform’s standard protections such as Process Forking, Reflection Abuse, Name Space Layout Randomization (NSLR) and Component Privilege De-escalation features. These features provide active and accurate protection against RCE attacks with minimal configuration and no tuning, eliminating the need to immediately address vulnerable Struts 2 code.
Companies that have not deployed the Waratek Application Security Platform should review any temporary workarounds or security solutions that depend on pattern matching, heuristics, servlet filters, or WAF-type protection. Security solutions that base detection on these techniques are unlikely to detect or mitigate this exploit without false positives or false negatives. Developers must audit their source code, manually identify all instances of the offending source code that introduce the vulnerability, and manually refactor the code. Fixed applications must then be compiled, QA tested and verified by pen testers before they are redeployed into production.
Contact Waratek for more information.
