(info) Page non traduite. Anglais uniquement.

What happened?

A serious vulnerability was discovered in Apache Struts 2, affecting versions of Apache Struts 2.3.5–2.3.31 and 2.5–2.5.10

The vulnerability (CVE-2017–5638), firstly reported by the security researcher Nike Zheng, is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts.

Details of the vulnerability

Source: https://cwiki.apache.org/confluence/display/WW/S2-045

It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.

Exploits are already disclosed, and payloads have varied and can now include IRC bouncer, DOS bot, and others various botnets.

DenyAll Statement

Our products are not impacted as we do not use Apache Struts 2.

DenyAll WAF and i-Suite products

  • Our ICX default policy blocking the majority of the payloads used on the Content-Type header (as a Buffer Overflow), but you can also strengthen your policy by including the Command Injection pattern on the headers, especially on the Content-Type header.

ICX Engine mitigation is available in the following backup: Apache Struts2 - ICX mitigation.backup

You will find a custom negative rule, checking Command Injection on the Content-Type header and an other checking the '%{(' or '%{#' syntax used to exploit the vulnerability.

  • An other solution is a whitelist on the Content-Type header by using, for example, the following rules:
^application\/(?:javascript|json|x\-www\-form\-urlencoded|xml|zip|pdf|octet\-stream)

^multipart\/(?:form\-data|mixed|alternative)

^text\/(?:css|html|plain)

^image\/(?:png|jpeg|gif|tiff)

rWeb product

  • By default, if still enabled, the payload will be blocked by the header size checking, but we recommend to enable the Scoringlist Engine on headers (Option ‘Use current Scoringlist to protect the request headers’) to mitigate the payload if the size vary.
  • To ensure more security, you can also activate the advanced engine ‘Scripting language injection protection code’ with the option ‘Protect request headers’.

DenyAll recommend to update your Apache Struts 2 as soon as possible as this vulnerability has been fixed in Apache Struts 2.3.32 and 2.5.10.1

  • No labels