In the recent days, another 0-day remote code execution vulnerability in Apache Struts 2 has been published (CVE-2017-12611). This time the vulnerability’s root cause is not a bug in the Struts 2 framework, but a feature of the FreeMarker Template Language, which is a popular template language being commonly used in Apache Struts and other Java based projects, being misused by the application developers. The feature allows developers to bind the values of the parameters that are being passed to the server by the application users to the application inner declared variables. This evaluation of the user’s input allows attackers to send an Object Graph Navigation Language (OGNL) expressions which are supported by the Struts 2 framework to the server and their evaluation may lead to malicious code being executed on the server. Examples for such misuse of this feature can be found in the original bulletin posted by the Apache Struts 2 team (S2-053).
A few proof of concept exploits for this vulnerability have already been published and are available for download over the web.
Mitigating the 0-day with BIG-IP ASM
BIG-IP ASM customers under any supported BIG-IP version are already protected against this 0-day vulnerability, as the exploitation attempt will be detected by the existing JAVA code injection and command execution attack signatures which can be found in signature sets that include “Command Execution” and “Server Side Code Injection” attack types or “Java Servlets/JSP” System.
The existing signatures are being proactive by detecting any attacker’s code injection or OS command execution attempts, without relying on specific 0day trigger that might allow the attacker to push this payload, making the application protection resistant to many future 0day vulnerabilities.
At least 10 attack signatures were triggered by each attempt to exploit a protected Struts 2 application using the already available exploits, following are few of the ASM logs of the blocked attempts:
Figure 1: Exploit blocked with Attack Signature (200004224)
Figure 2: Exploit blocked with Attack Signature (200003458)
Figure 3: Exploit blocked with Attack Signature (200003470)
Mitigating the 0-day with F5 Silverline WAF
Much like on-prem BIG-IP ASM customers, F5 Silverline WAF customers are already protected against this 0-day vulnerability. The exploitation attempt will be detected by the existing JAVA code injection and command execution attack signatures built within Silverline WAF standard policies.
The following is a WAF Policy Violations Search that shows blocked requests that match the Signature IDs representative of CVE-2017-12611: