Alert Logic® is actively researching a new vulnerability for the Apache Struts Xstream remote code execution (CVE-2017-9805) vulnerability. This critical vulnerability within the Apache Struts RESTful API implementation allows an attacker to craft a request that can lead to full system compromise. This vulnerability can impact users running versions between 2.1.2 – 2.3.x before 2.3.34 and versions of 2.5.x before 2.5.13.
The CVE-2017-9805 vulnerability allows an attacker to embed an OS command within a crafted XML request, which is sent to a listening Apache Struts RESTful API application. Due to a lack of input sanitization, the XML payload is passed to a deserialize function, which will evaluate and execute the crafted, embedded Java process chain to successfully execute the OS commands. While the attacker does not have direct command output response from the target, an attacker can leverage the vulnerability with relative ease to create secondary to a target, such as reverse shell, for further compromise.
Alert Logic Coverage
Both Alert Logic Web Security Manager™ and Alert Logic Web Security Manager Premier™ detect the CVE-2017-9805 vulnerability. If Alert Logic Web Security Manager Premier is in Protect mode, it will also block this vulnerability.
Alert Logic Threat Manager™ has signatures in place to detect this threat, and the Security Operations Center is actively monitoring these signatures to generate incidents for any suspected successful exploit.
Recommendations for Mitigation
Per Apache Struts, the following remediation options are available:
- Upgrade to the latest versions of Apache Struts – 2.3.34 and 2.5.13
- Limit the REST plugin to serve xhtml or JSON responses
- Remove the REST plugin when not used
We will update this section with new information about this Apache Struts vulnerability and related Alert Logic coverage as it becomes available.
09/11/2017: Alert Logic scanning coverage is now available for this vulnerability.