A remote command execute (RCE) has been discovered in Apache Struts 2, affecting versions 2.1.2 to 2.3.33 and 2.5 to 2.5.12.
Details of the vulnerability
Apache Struts and his REST Plugin is subject to a RCE attack through a XML payload. Indeed the REST Plugin does not perform any type filtering after the deserialization of a XStream instance using XStreamHandler.
A remote attacker could introduce malicious commands inside the XML payload then send the XML to the remote application. This can lead to the execution of malicious commands on the remote application.
DenyAll Products are not impacted as we do not use Apache Struts 2.
DenyAll WAF and i-Suite products
All workflows using the Web Services Firewall (WSF) will block any command injection payloads contained in the XML as the Struts exploits do. The DenyAll WAF Web Services Default can be taken as example. A XML Parsing before the ICX Engine is needed to detect efficiently injections and avoid false positives on the XML structure.
Here is a sample of the WSF Workflow:
The usage of the XML Parsing node and other XML nodes require the WSF licensing. For more details about the XML Parsing node, we invite you to see the documentation page.
If you do not have the WSF license, we invite you to contact the DenyAll Support Team to mitigate the vulnerability exploit.
By default the Blacklist, Scoringlist and Command injection engine will block the XML payload but they will not block all injection cases due to the XML structure. We recommend to add a Blacklist custom rule to correctly mitigate any injection attempt: