Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Gal_Goldshtein
F5 Employee
F5 Employee

In the recent days a new Apache Struts 2 vulnerability was published (S2-048) (CVE-2017-9791) and a POC code exploiting it was publicly released. The vulnerability lies in the Apache Stratus 2.3.x Showcase application when using the Struts 2 Struts 1 plugin which allows developers to use Struts 1 Action and ActionForm objects in Struts 2 applications. The application is using untrusted user input as part of a message presented to the user in the ActionMessage class which is the root cause of this vulnerability.

Mitigation with BIG-IP ASM

ASM customers under any supported BIG-IP version are already protected against this vulnerability.

While exploiting this vulnerability attacker will try to send a malicious HTTP POST request containing multiple JAVA code injections and Object Graph Navigation Library expressions injections.  

0151T000003d73XQAQ.pngFigure 1:  Request example containing the exploitation attempt

The exploitation attempt will be detected by many existing Java Code Injection, Object Graph Navigation Library expressions and several OS command execution attack signatures which can be found in signature sets that include "Command Execution" and "Server Side Code Injection" attack types or "Java Servlets/JSP" system.

0151T000003d73YQAQ.png

Figure 2:  Exploit blocked with Attack Signature (200004224)

0151T000003d73ZQAQ.png

Figure 3:  Exploit blocked with Attack Signature (200003458)

0151T000003d73aQAA.png

Figure 4:  Exploit blocked with Attack Signature (200003470)

Version history
Last update:
‎11-Jul-2017 06:24
Updated by:
Contributors