Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Apache Struts Zero Day and Mitigation SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Apache Struts Zero Day and Mitigation

Thanks to Gebhard for letting us know about a new vulnerability in Apache Struts.

If you recall the classloader vulnerability of few months ago, the fix for that seems to be case and punctuation sensitive (using [] instead of "."  was not accounted for)

In any case, they have posted a mitigation how-to here: http://struts.apache.org/announce.html#a20140424

This affects all versions up to 2.3.16.1

Find more information on this here:
http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/

================
Rob VandenBrink
Metafore



 

Rob VandenBrink

521 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!