Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Patch Available for New Struts 2 Vulnerability CVE-2017-5638

DZone's Guide to

Patch Available for New Struts 2 Vulnerability CVE-2017-5638

The newly discovered flaw in the Struts 2 framework has existed for more than four years. Read on to find out more about the patch.

· Security Zone
Free Resource

Address your unique security needs at every stage of the software development life cycle. Brought to you in partnership with Synopsys.

Waratek is offering a Virtual Patch for customers to address a new high severity vulnerability that exposes organizations using the Struts 2 framework to any general code injection attack. The Waratek solution fully remediates this vulnerability with a virtual patch that can be live-updated without taking affected applications out of production.

Struts 2 users need to take immediate action. Applying the binary patch offered by Apache requires some application downtime,” said John Matthew Holt, Waratek’s Founder and CTO. “For users who have made custom changes on Struts source code, it could take days or weeks to upgrade.  A virtual patch can be applied immediately while the application continues to run - with no code changes and without restarting the application.”

The Apache Foundation announced the new vulnerability - CVE-2017-5638 - on Monday, March 6th and the first attacks exploiting the new vulnerability have already been reported. First introduced in Struts 2.3.5 released in October 2012, the vulnerability has been available for Zero Day exploits for more than four years.

Even prior to the announcement of the vulnerability, Waratek’s core functionality protected against Proof-Of-Concept (POC) exploits of CVE-2017-5638 that perform remote command executions. The new virtual patch is a specific one-line security rule that fully remediates this vulnerability and was developed in less than one day after the vulnerability was announced.

“This is a critical vulnerability because the attack can be achieved without authentication, and web applications don't necessarily need to successfully upload a malicious file to exploit this vulnerability,” advises Holt.  “Just the presence of the vulnerable Struts library within an application is enough to exploit the vulnerability.”

Struts is an open source framework from the Apache Foundation used for web application development. Struts users include large-scale Internet companies, government and financial institutions, and other enterprises around the world.  

Find out how Synopsys can help you build security and quality into your SDLC and supply chain. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.

Topics:
security ,struts 2 ,patch

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}