Apache Struts Remote Code Execution Vulnerability (CVE-2017-5638)

Update

In the recent days we have noticed a new exploit variant related to this vulnerability. This new exploit attempts to inject Java code into the file name parameter of the multipart upload request.

 Figure 1:  Request example containing the new exploitation vector.

ASM is able to mitigate this new exploit variant using the following user-defined signature:

content:"com"; content:"opensymphony"; distance:0; re2:"/\bcom[\.\/]opensymphony\b/";

 

An official ASM Security Update including this fix has already been released.

An advisory has been published regarding a critical 0-day Remote Code Execution vulnerability in Apache Struts. The vulnerability resides in the Apache Jakarta multipart parser and is triggered when it tries to parse the Content-Type header of the HTTP request, allowing remote attackers to execute arbitrary code on the vulnerable server.

An exploit for this vulnerability has already been published.
 

Mitigation with Big-IP ASM

ASM customers are already protected against this vulnerability.

While exploiting this vulnerability attacker will try to send a malicious HTTP multipart request containing multiple Java code injection payloads. 

Figure 2:  An attempt to exploit this vulnerability as it was cought on our honeypot.

The exploitation attempt will be detected by many existing Java Code Injection attack signatures and several OS command execution ones.

Figure 3: Exploit blocked with Attack Signature (200003459)



Figure 4: Exploit blocked with Attack Signature (200003471)



Figure 5: Exploit blocked with Attack Signature (200004153)



Figure 6: Exploit blocked with Attack Signature (200003450)
 

Figure 7: Exploit blocked with Attack Signature (200003058)

Figure 8: Exploit blocked with Attack Signature (200003441)

Mitigating with iRules

In the event you do not yet have ASM in your toolbelt, F5 has updated the official KB article to include an iRule that will protect your vulnerable web servers behind the BIG-IP.

Mitigating the 0-day with F5 Silverline WAF

Much like on-prem BIG-IP ASM customers, F5 Silverline WAF customers are already protected against this 0-day vulnerability. The exploitation attempt will be detected by the existing JAVA code injection and command execution attack signatures built within Silverline WAF standard policies.

The following is a WAF Policy Violations Search that shows blocked requests that match the Signature IDs representative of CVE-2017-5638:

Published Mar 09, 2017
Version 1.0
apache struts
article
ASM Advanced WAF
cve-2017-5638
security
  • kurktchiev_1459's avatar
    kurktchiev_1459
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2017

    Can someone give us the Categories these signatures live in if we want to build a policy that just enables them for rapid response to this particular threat