Struts vulnerability patch released by apache, patch now
UPDATE2: a Metasploit module has been released. Some limited workarounds may be available. Otherwise patch now!
UPDATE: a link to a working exploit has been seen. As of yet no IDS or WAF signatures/rules have been posted. (2017/09/05 20:30h EDT)
Anyone using Struts 2 should immediately upgrade to Struts 2.5.13 due to a remote code execution vulnerability. It has been assigned CVE-2017-9805 and a detailed technical writeup is available here: https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement.
A work around would be to disable access to the REST API used by Struts as it does not correctly deserialize objects when invoked.
Every once in a while along comes a vulnerability that should cause you to consider actually updating the platform your application runs on! Now that the patch is available it will not be long before a working exploit is out in the wild.
Cheers,
Adrien de Beaupré, SANS Instructor and Co-author of #SEC642
Intru-shun.ca Inc.
Comments
Anonymous
Sep 6th 2017
7 years ago
<constant name="struts.action.extension" value="xhtml,,json" />
as per: http://struts.apache.org/docs/rest-plugin.html
and
https://struts.apache.org/docs/s2-052.html
Can anyone validate, I do not have access to a Struts 2 install at the moment.
Can you remove the struts2-rest-plugin.jar file?
Cheers,
Adrien
Anonymous
Sep 6th 2017
7 years ago
Ping me if you want the pcap.
Anonymous
Sep 7th 2017
7 years ago
Anonymous
Sep 8th 2017
7 years ago
Thank You
Anonymous
Sep 13th 2017
7 years ago