Apache Struts 2 Showcase Remote Code Execution (CVE-2017-9791)

In the recent days a new Apache Struts 2 vulnerability was published (S2-048) (CVE-2017-9791) and a POC code exploiting it was publicly released. The vulnerability lies in the Apache Stratus 2.3.x Showcase application when using the Struts 2 Struts 1 plugin which allows developers to use Struts 1 Action and ActionForm objects in Struts 2 applications. The application is using untrusted user input as part of a message presented to the user in the ActionMessage class which is the root cause of this vulnerability.

Mitigation with BIG-IP ASM

ASM customers under any supported BIG-IP version are already protected against this vulnerability.

While exploiting this vulnerability attacker will try to send a malicious HTTP POST request containing multiple JAVA code injections and Object Graph Navigation Library expressions injections.  

Figure 1:  Request example containing the exploitation attempt

The exploitation attempt will be detected by many existing Java Code Injection, Object Graph Navigation Library expressions and several OS command execution attack signatures which can be found in signature sets that include "Command Execution" and "Server Side Code Injection" attack types or "Java Servlets/JSP" system.

Figure 2:  Exploit blocked with Attack Signature (200004224)

Figure 3:  Exploit blocked with Attack Signature (200003458)

Figure 4:  Exploit blocked with Attack Signature (200003470)

Published Jul 11, 2017
Version 1.0
No CommentsBe the first to comment