Struts vulnerability patch released by apache, patch now

Struts vulnerability patch released by apache, patch now
UPDATE2: a Metasploit module has been released. Some limited workarounds may be available. Otherwise patch now! UPDATE: a link to a working exploit has been seen. As of yet no IDS or WAF signatures/rules have been posted. (2017/09/05 20:30h EDT) Anyone using Struts 2 should immediately upgrade to Struts 2.5.13 due to a remote code execution vulnerability. It has been assigned CVE-2017-9805 and a detailed technical writeup is available here: https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement. A work around would be to disable access to the REST API used by Struts as it does not correctly deserialize objects when invoked. Every once in a while along comes a vulnerability that should cause you to consider actually updating the platform your application runs on! Now that the patch is available it will not be long before a working exploit is out in the wild. Cheers, Adrien de Beaupré, SANS Instructor and Co-author of #SEC642 Intru-shun.ca Inc. I will be teaching next: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques - SANS Cyber Defence Asia Pacific 2021	Adrien de Beaupre 353 Posts ISC Handler Sep 6th 2017
Thread locked Subscribe	Sep 6th 2017 3 years ago
Johannes mentioned disabling REST to mitigate exploitation. Has anyone confirmed this is effective with the public exploit code available? I'm not an Apache Struts admin but quick searches did not identify how to disable this. Any help with a link or steps on disabling would be greatly appreciated.	Anonymous
Quote	Sep 6th 2017 3 years ago
I believe that you can modify the configuration to restrict REST by setting the struts-plugin.xml value: <constant name="struts.action.extension" value="xhtml,,json" /> as per: struts.apache.org/docs/… and struts.apache.org/docs/… Can anyone validate, I do not have access to a Struts 2 install at the moment. Can you remove the struts2-rest-plugin.jar file? Cheers, Adrien	Adrien de Beaupre 353 Posts ISC Handler
Quote	Sep 6th 2017 3 years ago
I saw an attempt on my website, posted details here: blog.nviso.be/2017/09/07/active-exploitation-of-struts-vulnerability-s2-052-cve-2017-9805/ Ping me if you want the pcap.	DidierStevens 553 Posts ISC Handler
Quote	Sep 7th 2017 3 years ago
Yes please -> handlers@isc.sans.edu	Adrien de Beaupre 353 Posts ISC Handler
Quote	Sep 8th 2017 3 years ago
I would like to see the pcap file please kwestin@gmail.com Thank You	Anonymous
Quote	Sep 13th 2017 3 years ago