UPDATE2: a Metasploit module has been released. Some limited workarounds may be available. Otherwise patch now! UPDATE: a link to a working exploit has been seen. As of yet no IDS or WAF signatures/rules have been posted. (2017/09/05 20:30h EDT) Anyone using Struts 2 should immediately upgrade to Struts 2.5.13 due to a remote code execution vulnerability. It has been assigned CVE-2017-9805 and a detailed technical writeup is available here: https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement. A work around would be to disable access to the REST API used by Struts as it does not correctly deserialize objects when invoked. Every once in a while along comes a vulnerability that should cause you to consider actually updating the platform your application runs on! Now that the patch is available it will not be long before a working exploit is out in the wild. Cheers, |
Adrien de Beaupre 353 Posts ISC Handler Sep 6th 2017 |
Thread locked Subscribe |
Sep 6th 2017 4 years ago |
Johannes mentioned disabling REST to mitigate exploitation. Has anyone confirmed this is effective with the public exploit code available? I'm not an Apache Struts admin but quick searches did not identify how to disable this. Any help with a link or steps on disabling would be greatly appreciated.
|
Anonymous |
Quote |
Sep 6th 2017 4 years ago |
I believe that you can modify the configuration to restrict REST by setting the struts-plugin.xml value:
<constant name="struts.action.extension" value="xhtml,,json" /> as per: struts.apache.org/docs/… and struts.apache.org/docs/… Can anyone validate, I do not have access to a Struts 2 install at the moment. Can you remove the struts2-rest-plugin.jar file? Cheers, Adrien |
Adrien de Beaupre 353 Posts ISC Handler |
Quote |
Sep 6th 2017 4 years ago |
I saw an attempt on my website, posted details here: blog.nviso.be/2017/09/07/active-exploitation-of-struts-vulnerability-s2-052-cve-2017-9805/
Ping me if you want the pcap. |
DidierStevens 647 Posts ISC Handler |
Quote |
Sep 7th 2017 4 years ago |
Yes please -> handlers@isc.sans.edu
|
Adrien de Beaupre 353 Posts ISC Handler |
Quote |
Sep 8th 2017 4 years ago |
I would like to see the pcap file please kwestin@gmail.com
Thank You |
Anonymous |
Quote |
Sep 13th 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!