Page tree
Skip to end of metadata
Go to start of metadata

What's new?

A remote command execute (RCE) has been discovered in Apache Struts 2, affecting versions 2.1.2 to 2.3.33 and 2.5 to 2.5.12.

Details of the vulnerability

Apache Struts and his REST Plugin is subject to a RCE attack through a XML payload. Indeed the REST Plugin does not perform any type filtering after the deserialization of a XStream instance using XStreamHandler.

A remote attacker could introduce malicious commands inside the XML payload then send the XML to the remote application. This can lead to the execution of malicious commands on the remote application.


DenyAll Statement

DenyAll Products are not impacted as we do not use Apache Struts 2.

DenyAll WAF and i-Suite products

All workflows using the Web Services Firewall (WSF) will block any command injection payloads contained in the XML as the Struts exploits do. The DenyAll WAF Web Services Default can be taken as example. A XML Parsing before the ICX Engine is needed to detect efficiently injections and avoid false positives on the XML structure.

Here is a sample of the WSF Workflow:

The usage of the XML Parsing node and other XML nodes require the WSF licensing. For more details about the XML Parsing node, we invite you to see the documentation page.

If you do not have the WSF license, we invite you to contact the DenyAll Support Team to mitigate the vulnerability exploit.

rWeb product

By default the Blacklist, Scoringlist and Command injection engine will block the XML payload but they will not block all injection cases due to the XML structure. We recommend to add a Blacklist custom rule to correctly mitigate any injection attempt:

Pattern for custom rule

Upgrade Apache Struts 2

DenyAll also recommends to upgrade your Apache Struts 2 as soon as possible as this vulnerability has been fixed in Apache Struts 2.5.13 and 2.3.34.

If upgrade is not a possibility, Apache Struts proposes a workaround on his security bulletin:

For any further details, we invite you to contact the DenyAll Support Team.

  • No labels