Follow

03/13/17: Apache Struts CVE-2017-5638 | Security Bulletin

In This Article

Overview

A new zero day exploit for Apache Struts has been weaponized and is actively being reported in the public domain as being utilized for compromise victims. The vulnerability (CVE-2017-5638) and patch were released to the public on March 6, 2017; however, attack probes and exploitation were detected before the official proof of concept exploit was released. Many reports suggest there is significant malicious actor mobilization and several public exploits are available in the wild. Successful execution of the threat leads to unauthenticated remote command execution. Alert Logic® is actively investigating the reports of public exploits of this vulnerability and will release additional information as required.

Return to top

Details

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. 

This new critical Remote Code Execution vulnerability for Apache Struts affects many of the newer versions of their software, including Struts versions 2.3.5 – 2.3.31 and Struts 2.5-2.5.10. The vulnerability itself affects the Jakarta multipart parser and Apache’s own OGNL (Object Graph Navigation Library), which is an expression language used for setting and getting properties of Java objects.

This vulnerability can be exploited when an attacker sends a specially crafted request to upload a file to the Jakarta plugin with malicious code passed in the Content-Type header. The vulnerability is triggered due to a locally saved error message or error key that’s passed in a variable and evaluated after the malicious multi-part upload attempt. As of March 13, 2017, several exploits are available online for testing.

Return to top

Alert Logic Coverage

Alert Logic has evaluated its customer base for exposure to the exploit and has developed signatures and configuration steps for mitigating the threat depending on the security service in place.

Web Security Manager

  • For customers using Alert Logic’s inline Web Application Firewall (WAF), Alert Logic has identified affected web applications using learned data. A new header validation signature to detect and block the exploit has been added to the security policy of those applications. 

Threat Manager

  • Vulnerability scanning has been updated to identify this Apache vulnerability. To check your environment for this vulnerability, schedule a scan in the Alert Logic user interface (UI). 

    Note: For more information about scheduling scans, refer to our Define a Scan documentation.

  • Network-based Intrusion Detection System (IDS) has been updated with the latest signatures. If this signature is detected, an incident is generated in the Alert Logic UI.

    Note: For more information about how Alert Logic defines and correlates incidents, refer to our Incident Handling Policy | Feature Education article.

Cloud Defender

  • Vulnerability scanning has been updated to identify this Apache vulnerability. To check your environment for this vulnerability, schedule a scan in the Alert Logic user interface (UI). 

    Note: For more information about scheduling scans, refer to our Define a Scan documentation.

  • Network-based IDS has been updated with the latest signatures. If this signature is detected, an incident is generated in the Alert Logic UI.

    Note: For more information about how Alert Logic defines and correlates incidents, refer to our Incident Handling Policy | Feature Education article.

  • For immediate exploit detection, customers using Alert Logic’s out-of-band (OOB) WAF can reach out by phone or email to Alert Logic to add a header validation signature.

Cloud Insight

  • Vulnerability scanning has been updated to identify this Apache vulnerability.

Return to top

Apache Recommendations for Mitigation

Apache has made recommendations for the mitigation of this vulnerability. For more information about these recommendations, refer to Apache Security Bulletin S2-045.

Return to top

Contacting Alert Logic

For questions, contact Alert Logic support using the following contact information.

US: 877.484.8383 (Option 2)

UK: +44 (0) 203 011 5533 (Option 2)

support@alertlogic.com

 

Return to top

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.