A new zero day exploit for Apache Struts has been weaponized and is actively being reported in the public domain as being utilized for compromise victims. The vulnerability (CVE-2017-5638) and patch were released to the public on March 6, 2017; however, attack probes and exploitation were detected before the official proof of concept exploit was released. Many reports suggest there is significant malicious actor mobilization and several public exploits are available in the wild. Successful execution of the threat leads to unauthenticated remote command execution. Alert Logic® is actively investigating the reports of public exploits of this vulnerability and will release additional information as required.
Details
Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.
This new critical Remote Code Execution vulnerability for Apache Struts affects many of the newer versions of their software, including Struts versions 2.3.5 – 2.3.31 and Struts 2.5-2.5.10. The vulnerability itself affects the Jakarta multipart parser and Apache’s own OGNL (Object Graph Navigation Library), which is an expression language used for setting and getting properties of Java objects.
This vulnerability can be exploited when an attacker sends a specially crafted request to upload a file to the Jakarta plugin with malicious code passed in the Content-Type header. The vulnerability is triggered due to a locally saved error message or error key that’s passed in a variable and evaluated after the malicious multi-part upload attempt. As of March 13, 2017, several exploits are available online for testing.
Alert Logic Coverage
Alert Logic has evaluated its customer base for exposure to the exploit and has developed signatures and configuration steps for mitigating the threat depending on the security service in place.
Web Security Manager
- For customers using Alert Logic’s inline Web Application Firewall (WAF), Alert Logic has identified affected web applications using learned data. A new header validation signature to detect and block the exploit has been added to the security policy of those applications.
Threat Manager
- Vulnerability scanning has been updated to identify this Apache vulnerability. To check your environment for this vulnerability, schedule a scan in the Alert Logic user interface (UI). Note: For more information about scheduling scans, refer to our Define a Scan documentation.
- Network-based Intrusion Detection System (IDS) has been updated with the latest signatures. If this signature is detected, an incident is generated in the Alert Logic UI. Note: For more information about how Alert Logic defines and correlates incidents, refer to our Incident Handling Policy article.
Cloud Defender
- Vulnerability scanning has been updated to identify this Apache vulnerability. To check your environment for this vulnerability, schedule a scan in the Alert Logic user interface (UI). Note: For more information about scheduling scans, refer to our Define a Scan documentation.
- Network-based IDS has been updated with the latest signatures. If this signature is detected, an incident is generated in the Alert Logic UI. Note: For more information about how Alert Logic defines and correlates incidents, refer to our Incident Handling Policy article.
- For immediate exploit detection, customers using Alert Logic’s out-of-band (OOB) WAF can reach out by phone or email to Alert Logic to add a header validation signature.
Cloud Insight
- Vulnerability scanning has been updated to identify this Apache vulnerability.
Apache Recommendations for Mitigation
Apache has made recommendations for the mitigation of this vulnerability. For more information about these recommendations, refer to Apache Security Bulletin S2-045.
Comments
0 comments
Please sign in to leave a comment.