SERVER-APACHE Apache Struts remote code execution attempt

Notice: Monitoring services will be discontinued from March 31st, 2019.

Summary

A critical vulnerability has been discovered in the Apache Struts web application framework for Java web applications. A remote code execution attack is possible when using the Apache Struts REST plugin with XStream handler to deserialise XML requests.The REST Plugin is using a

XStreamHandler

with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads. All versions of Struts since 2008 are affected; all web applications using the framework’s popular REST plugin are vulnerable. Shortly after the patched versions of Struts were released on 5 September, multiple working exploits were observed on various internet sites.

Impact

Attackers can execute arbitrary code remotely by exploiting this vulnerability.
Vulnerable

    >> Apache Struts 2.0.1 - 2.3.33
    >> Apache Struts 2.5 - 2.5.12
    >> All versions of Apache Struts released since 2008


Any security vulnerability can be potentially disastrous, but any that allows Remote Code Execution are especially worrying. This vulnerability is potentially very damaging due to the large number of sites that rely upon this framework. Coupled with the complexities to remediate, as code will have to be changed as opposed to just applying a vendor patch, this has the potential to be worse than the ‘POODLE’ attack was. Finding this highlights the power that static code analysis can bring, and if something this severe can be in such a well known public library, just imagine what it could find in your code base.

Recommendations

>>Upgrade to Apache Struts 2.5.13 immediately.


    No workaround is possible, the best option is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only. Please see Apache Struts Security Advisory S2-052 for details.

    Many popular vendor products utilize Java and the Struts web application framework. If you manage a Java web application, check with your vendor or developer to determine if the application is using Struts and if it is vulnerable. Install any vendor application patches that address CVE-2017-9805 immediate

  • 3 Users Found This Useful
Was this answer helpful?

Related Articles

ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack

Notice: Monitoring services will be discontinued from March 31st, 2019.   Bruteforce is one of...

SERVER-WEBAPP Drupal 8 remote code execution attempt

Notice: Monitoring services will be discontinued from March 31st, 2019. SummaryDrupal is a very...

ET EXPLOIT Joomla RCE M3 (Serialized PHP in XFF)

Notice: Monitoring services will be discontinued from March 31st, 2019. JoomlaJoomla is an open...

SERVER-ORACLE Oracle WebLogic Server remote command execution attempt

Notice: Monitoring services will be discontinued from March 31st, 2019. This signature fires...

ET SCAN ZmEu Scanner User-Agent Inbound

Notice: Monitoring services will be discontinued from March 31st, 2019. ZmEuZmEu is a computer...