Follow

9/6/17: EMERGING THREAT - CVE-2017-9805 Apache Struts Xstream RCE Vulnerability

Overview

Alert Logic® is actively researching a new vulnerability for the Apache Struts Xstream remote code execution (CVE-2017-9805) vulnerability. This critical vulnerability within the Apache Struts RESTful API implementation allows an attacker to craft a request that can lead to full system compromise. This vulnerability can impact users running versions between 2.1.2 – 2.3.x before 2.3.34 and versions of 2.5.x before 2.5.13.

Vulnerability Description

The CVE-2017-9805 vulnerability allows an attacker to embed an OS command within a crafted XML request, which is sent to a listening Apache Struts RESTful API application. Due to a lack of input sanitization, the XML payload is passed to a deserialize function, which will evaluate and execute the crafted, embedded Java process chain to successfully execute the OS commands. While the attacker does not have direct command output response from the target, an attacker can leverage the vulnerability with relative ease to create secondary to a target, such as reverse shell, for further compromise.

Alert Logic Coverage

Both Alert Logic Web Security Manager™ and Alert Logic Web Security Manager Premier™ detect the CVE-2017-9805 vulnerability. If Alert Logic Web Security Manager Premier is in Protect mode, it will also block this vulnerability.

Alert Logic Threat Manager™ has signatures in place to detect this threat, and the Security Operations Center is actively monitoring these signatures to generate incidents for any suspected successful exploit.

Recommendations for Mitigation

Per Apache Struts, the following remediation options are available:

  • Upgrade to the latest versions of Apache Struts – 2.3.34 and 2.5.13
  • Limit the REST plugin to serve xhtml or JSON responses
  • Remove the REST plugin when not used

Updates

We will update this section with new information about this Apache Struts vulnerability and related Alert Logic coverage as it becomes available.

09/11/2017: Alert Logic scanning coverage is now available for this vulnerability. 

Contacting Alert Logic

If you have any questions, you can contact Alert Logic using the following information:

US: 877.484.8383 (Option 2)
UK: +44 (0) 203 011 5533 (Option 1)
support@alertlogic.com

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.