More Variations of Apache Struts 2 Vulnerability CVE-2017-5638 Found
Two weeks after the Apache Foundation announced a previously unknown vulnerability in the Struts 2 web application framework, two new variations of the same vulnerability have been reported. Learn how Waratek's solution is continuing to provide protection.
Join the DZone community and get the full member experience.Join For Free
Two weeks after the Apache Foundation announced a previously unknown vulnerability in the Struts 2 web application framework, two new variations of the same vulnerability have been reported. However, Waratek customers who have applied the Virtual Patch for CVE-2017-5638 are already protected against the newly discovered variations as well as any possible other variation that might be discovered. Read on and make sure to check out the video at the end to see exactly how the Waratek solution works.
According to the latest Struts 2 Security Bulletin (S2-046), it is possible to perform a Remote Command Execution (RCE) attack with a malicious Content-Disposition value or with an improper Content-Length header. If the Content-Disposition/Content-Length value is not valid an exception is thrown which is then used to display an error message to a user. This is a different attack vector for the same vulnerability described in S2-045 (CVE-2017-5638).
Waratek customers are protected against Code Injection and RCE attacks by the Waratek Application Security Platform’s standard protections such as Process Forking, Reflection Abuse, and the Name Space Layout Randomization (NSLR) feature. Waratek has also published a Virtual Patch for CVE-2017-5638 that is the functional equivalent to the physical patch offered by Apache and can be deployed safely on any version of Struts 2 without restart and no required source code or binary changes.
The Waratek Virtual Patch combined with Waratek’s Remote Command Execution mitigation, Reflection Abuse mitigation, and NSLR features provides both an active and a reactive protection to the problem and removes the urgency to upgrade users who have customized the Struts 2 code used in web applications.
Companies who have not applied the Waratek Virtual Patch should review any temporary workarounds or security solutions that depend on pattern matching, heuristics, servlet filters, and WAF-type protection. Security solutions that base detection on filtering the Content Type header or looking for unusual Content Type values will fail to mitigate the new exploits.
Contact us for more information about the Struts 2 live Virtual Patch.
See How Waratek Mitigates the Apache Struts 2 Vulnerability CVE-2017-5638
Published at DZone with permission of Oisin Bates, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.