Waratek is offering a Virtual Patch for customers to address a new high severity vulnerability that exposes organizations using the Struts 2 framework to any general code injection attack. The Waratek solution fully remediates this vulnerability with a virtual patch that can be live-updated without taking affected applications out of production.
“Struts 2 users need to take immediate action. Applying the binary patch offered by Apache requires some application downtime,” said John Matthew Holt, Waratek’s Founder and CTO. “For users who have made custom changes on Struts source code, it could take days or weeks to upgrade. A virtual patch can be applied immediately while the application continues to run - with no code changes and without restarting the application.”
The Apache Foundation announced the new vulnerability - CVE-2017-5638 - on Monday, March 6th and the first attacks exploiting the new vulnerability have already been reported. First introduced in Struts 2.3.5 released in October 2012, the vulnerability has been available for Zero Day exploits for more than four years.
Even prior to the announcement of the vulnerability, Waratek’s core functionality protected against Proof-Of-Concept (POC) exploits of CVE-2017-5638 that perform remote command executions. The new virtual patch is a specific one-line security rule that fully remediates this vulnerability and was developed in less than one day after the vulnerability was announced.
“This is a critical vulnerability because the attack can be achieved without authentication, and web applications don't necessarily need to successfully upload a malicious file to exploit this vulnerability,” advises Holt. “Just the presence of the vulnerable Struts library within an application is enough to exploit the vulnerability.”
Struts is an open source framework from the Apache Foundation used for web application development. Struts users include large-scale Internet companies, government and financial institutions, and other enterprises around the world.