Struts vulnerability patch released by apache, patch now

Published: 2017-09-05
Last Updated: 2017-09-06 16:09:59 UTC
by Adrien de Beaupre (Version: 1)
5 comment(s)

UPDATE2: a Metasploit module has been released. Some limited workarounds may be available. Otherwise patch now!

UPDATE: a link to a working exploit has been seen. As of yet no IDS or WAF signatures/rules have been posted. (2017/09/05 20:30h EDT)

Anyone using Struts 2 should immediately upgrade to Struts 2.5.13 due to a  remote code execution vulnerability. It has been assigned CVE-2017-9805 and a detailed technical writeup is available here: https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement.

A work around would be to disable access to the REST API used by Struts as it does not correctly deserialize objects when invoked. 

Every once in a while along comes a vulnerability that should cause you to consider actually updating the platform your application runs on! Now that the patch is available it will not be long before a working exploit is out in the wild. 

Cheers,
Adrien de Beaupré, SANS Instructor and Co-author of #SEC642
Intru-shun.ca Inc.

5 comment(s)

Comments

Johannes mentioned disabling REST to mitigate exploitation. Has anyone confirmed this is effective with the public exploit code available? I'm not an Apache Struts admin but quick searches did not identify how to disable this. Any help with a link or steps on disabling would be greatly appreciated.
I believe that you can modify the configuration to restrict REST by setting the struts-plugin.xml value:
<constant name="struts.action.extension" value="xhtml,,json" />
as per: http://struts.apache.org/docs/rest-plugin.html
and
https://struts.apache.org/docs/s2-052.html

Can anyone validate, I do not have access to a Struts 2 install at the moment.
Can you remove the struts2-rest-plugin.jar file?

Cheers,
Adrien
I saw an attempt on my website, posted details here: https://blog.nviso.be/2017/09/07/active-exploitation-of-struts-vulnerability-s2-052-cve-2017-9805/

Ping me if you want the pcap.
Yes please -> handlers@isc.sans.edu
I would like to see the pcap file please kwestin@gmail.com

Thank You

Diary Archives