TECHNICAL ALERT 20170905
All web applications using the REST plugin are vulnerable.
Waratek Customers are Already Protected.
A new vulnerability (CVE-2017-9805) in the popular Apache Struts2 framework has been reported by independent researchers who describe the vulnerability as “incredibly easy for an attacker to exploit…all you need is a web browser.” All versions of Struts2 since 2008 are affected.
According to researchers at LGTM.com, the newly discovered vulnerability allows an attacker to successfully complete a Remote Command Execution (RCE) attack if an application utilizes the REST communication plugin on the Struts framework. The weakness is caused by the way Struts deserializes untrusted data. More specifically, Apache Struts uses the ContentTypeHandler interface, which converts user-controlled data into Java objects.
Researchers determined that attackers can execute arbitrary code and commands on an affected Struts server, even behind a company firewall, by sending a malicious HTTP request. According to a Metasploit ‘proof of concept’ exploit that was made public soon after the disclosure of the vulnerability, the HTTP request contains a specially crafted XML document. When this document is received by Struts it will be deserialized and at that point arbitrary remote code execution will be achieved. Attackers can exploit this vulnerability to enter other areas of a network, effectively bypassing the corporate firewalls, gaining access to other shielded areas of the company, and even deploying Ransomware and other Advanced Persistent Threats.
Struts and the REST plug in are commonly used for customer / public-facing web applications.
Waratek customers are protected against Code Injection, Java deserialization and RCE attacks by the Waratek Application Security Platform’s standard protections such as Process Forking, Reflection Abuse, Name Space Layout Randomization (NSLR) and Component Privilege De-escalation features. These features provide active and accurate protection against RCE attacks with minimal configuration and no tuning, eliminating the need to immediately address vulnerable Struts code.
Companies that have not deployed the Waratek Application Security Platform should move promptly because of the criticality of the vulnerabiltiy and the simplicity of the attack. Companies should audit their source code, identify the presence of the Struts REST plugin that introduces the vulnerability, upgrade it, and and if needed, manually refactor any custom code built on top of the plugin. Fixed applications must then be compiled, QA tested and verified by pen testers before they are redeployed into production. Apache has posted an announcement regarding the possibility of remote code execution attacks via the REST plugin.
Contact Waratek for more information.