cancel
Showing results for 
Search instead for 
Did you mean: 
Gal_Goldshtein
F5 Employee
F5 Employee

Update

In the recent days we have noticed a new exploit variant related to this vulnerability. This new exploit attempts to inject Java code into the file name parameter of the multipart upload request.

0151T000003d6z6QAA.PNG

 Figure 1:  Request example containing the new exploitation vector.

ASM is able to mitigate this new exploit variant using the following user-defined signature:

content:"com"; content:"opensymphony"; distance:0; re2:"/\bcom[\.\/]opensymphony\b/";

 

An official ASM Security Update including this fix has already been released.


An advisory has been published regarding a critical 0-day Remote Code Execution vulnerability in Apache Struts. The vulnerability resides in the Apache Jakarta multipart parser and is triggered when it tries to parse the Content-Type header of the HTTP request, allowing remote attackers to execute arbitrary code on the vulnerable server.

An exploit for this vulnerability has already been published.
 

Mitigation with Big-IP ASM

ASM customers are already protected against this vulnerability.

While exploiting this vulnerability attacker will try to send a malicious HTTP multipart request containing multiple Java code injection payloads. 

0151T000003d6z7QAA.png

Figure 2:  An attempt to exploit this vulnerability as it was cought on our honeypot.

The exploitation attempt will be detected by many existing Java Code Injection attack signatures and several OS command execution ones.

0151T000003d6z8QAA.png

Figure 3: Exploit blocked with Attack Signature (200003459)

0151T000003d6z9QAA.png

Figure 4: Exploit blocked with Attack Signature (200003471)

0151T000003d6zAQAQ.png

Figure 5: Exploit blocked with Attack Signature (200004153)

0151T000003d6zBQAQ.png

Figure 6: Exploit blocked with Attack Signature (200003450)
 

0151T000003d6zCQAQ.png

Figure 7: Exploit blocked with Attack Signature (200003058)

0151T000003d6zDQAQ.png

Figure 8: Exploit blocked with Attack Signature (200003441)

Mitigating with iRules

In the event you do not yet have ASM in your toolbelt, F5 has updated the official KB article to include an iRule that will protect your vulnerable web servers behind the BIG-IP.

Mitigating the 0-day with F5 Silverline WAF

Much like on-prem BIG-IP ASM customers, F5 Silverline WAF customers are already protected against this 0-day vulnerability. The exploitation attempt will be detected by the existing JAVA code injection and command execution attack signatures built within Silverline WAF standard policies.

The following is a WAF Policy Violations Search that shows blocked requests that match the Signature IDs representative of CVE-2017-5638:

0151T000003d6zEQAQ.png

Comments
kurktchiev_1459
Nimbostratus
Nimbostratus

Can someone give us the Categories these signatures live in if we want to build a policy that just enables them for rapid response to this particular threat

 

Jonathan_124522
Nimbostratus
Nimbostratus

I have all these sigs in place and whitehat is saying still vulnerable.

 

Version history
Last update:
‎09-Mar-2017 08:52
Updated by:
Contributors