Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

More Variations of Apache Struts 2 Vulnerability CVE-2017-5638 Found

DZone's Guide to

More Variations of Apache Struts 2 Vulnerability CVE-2017-5638 Found

Two weeks after the Apache Foundation announced a previously unknown vulnerability in the Struts 2 web application framework, two new variations of the same vulnerability have been reported. Learn how Waratek's solution is continuing to provide protection.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Two weeks after the Apache Foundation announced a previously unknown vulnerability in the Struts 2 web application framework, two new variations of the same vulnerability have been reported. However, Waratek customers who have applied the Virtual Patch for CVE-2017-5638 are already protected against the newly discovered variations as well as any possible other variation that might be discovered. Read on and make sure to check out the video at the end to see exactly how the Waratek solution works.

Background

According to the latest Struts 2 Security Bulletin (S2-046), it is possible to perform a Remote Command Execution (RCE) attack with a malicious Content-Disposition value or with an improper Content-Length header. If the Content-Disposition/Content-Length value is not valid an exception is thrown which is then used to display an error message to a user. This is a different attack vector for the same vulnerability described in S2-045 (CVE-2017-5638).

Action Required

Waratek customers are protected against Code Injection and RCE attacks by the Waratek Application Security Platform’s standard protections such as Process Forking, Reflection Abuse, and the Name Space Layout Randomization (NSLR) feature. Waratek has also published a Virtual Patch for CVE-2017-5638 that is the functional equivalent to the physical patch offered by Apache and can be deployed safely on any version of Struts 2 without restart and no required source code or binary changes.

The Waratek Virtual Patch combined with Waratek’s Remote Command Execution mitigation, Reflection Abuse mitigation, and NSLR features provides both an active and a reactive protection to the problem and removes the urgency to upgrade users who have customized the Struts 2 code used in web applications.

Companies who have not applied the Waratek Virtual Patch should review any temporary workarounds or security solutions that depend on pattern matching, heuristics, servlet filters, and WAF-type protection. Security solutions that base detection on filtering the Content Type header or looking for unusual Content Type values will fail to mitigate the new exploits.

Contact us for more information about the Struts 2 live Virtual Patch.

See How Waratek Mitigates the Apache Struts 2 Vulnerability CVE-2017-5638


Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
remote ,virtual ,vulnerability ,security ,execution

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}