Alert Logic® is actively researching the Apache Struts2 Showcase App (CVE-2017-9791, RCE S2-048) vulnerability. This is an unauthenticated RCE vulnerability that allows attackers to remotely control Apache Struts victim hosts without any preconditions. The vulnerability can impact users running Apache Struts 2, versions 2.3.x and below.
Apache Struts2 Showcase App Vulnerability
The CVE-2017-9791 vulnerability allows an attacker to embed an operating system command into a request to the vulnerable system. Once evaluated using the vulnerable function, the command supplied by the attacker will be executed as if the attacker had direct access to the victim host operating system, operating at the same privilege level as the Struts application. It is possible for an attacker to use this foothold to deface or compromise the victim server, upload a webshell for long term control and persistence, or use another vulnerability to escalate privileges to root and control the victim host fully.
The attack is propagated from the internet to the victim web server. It is unlikely that the vulnerability could be used to propagate within a network.
The CVE-2017-9791 vulnerability is unauthenticated, so no prior access is required for an attack. Public exploit code is utilizing the Struts1 Showcase plugin - which is installed by default on new installations of Apache Struts - to exploit this vulnerability. There may be further exploit variations released in the coming days.
There is currently no evidence of exploited hosts in the public domain due to this vulnerability attack.
Alert Logic Coverage
Alert Logic Web Security Manager™ blocks, and Web Security Manager Premier™ detects, the CVE-2017-9791 vulnerability.
Alert Logic Threat Manager™ has signatures in place to detect this threat, and the Security Operations Center is actively monitoring these signatures to generate incidents for any suspected successful exploit.
Alert Logic Cloud Defender™ scanning coverage is available for this vulnerability.
Recommendations for Mitigation
Per Apache Struts, you should always use resource keys instead of passing a raw message to the ActionMessage, as shown below. Never pass a raw value directly.
CORRECT: messages.add("msg", newActionMessage ("struts1.gangsterAdded", gform.getName ()));
INCORRECT: messages.add("msg", newActionMessage("Gangster "+ gform.getName () + " was added"));
We will update this section with new information about the Apache Struts2 Showcase App vulnerability and related Alert Logic coverage as it becomes available.