Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: InfoSec Handlers Diary Blog - Struts vulnerability patch released by apache, patch now InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Struts vulnerability patch released by apache, patch now

Published: 2017-09-05
Last Updated: 2017-09-06 16:09:59 UTC
by Adrien de Beaupre (Version: 1)
5 comment(s)

UPDATE2: a Metasploit module has been released. Some limited workarounds may be available. Otherwise patch now!

UPDATE: a link to a working exploit has been seen. As of yet no IDS or WAF signatures/rules have been posted. (2017/09/05 20:30h EDT)

Anyone using Struts 2 should immediately upgrade to Struts 2.5.13 due to a  remote code execution vulnerability. It has been assigned CVE-2017-9805 and a detailed technical writeup is available here: https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement.

A work around would be to disable access to the REST API used by Struts as it does not correctly deserialize objects when invoked. 

Every once in a while along comes a vulnerability that should cause you to consider actually updating the platform your application runs on! Now that the patch is available it will not be long before a working exploit is out in the wild. 

Cheers,
Adrien de Beaupré, SANS Instructor and Co-author of #SEC642
Intru-shun.ca Inc.

5 comment(s)
Diary Archives