ADVISORY: Apache Struts2 S2-052: Remote Code Execution Vulnerability (CVE-2017-9805)

A remote command execute (RCE) has been discovered in Apache Struts 2, affecting versions 2.1.2 to 2.3.33 and 2.5 to 2.5.12. Apache Struts and his REST Plugin is subject to a RCE attack through a XML payload. Indeed the REST Plugin does not perform any type filtering after the deserialization of a XStream instance using XStreamHandler. A remote attacker could introduce malicious commands inside the XML payload then send the XML to the remote application. This can lead to the execution of malicious commands on the remote application.

Are DenyAll products impacted by Apache Struts 2 S2-052 (CVE-2017-9805)?

DenyAll Products are not impacted as we do not use Apache Struts 2. You will find below some advice to be sure that your DenyAll Web Application Firewalls are properly configured to block common XML payloads. Furthermore, DenyAll also recommends to upgrade your Apache Struts 2 as soon as possible as this vulnerability has been fixed in Apache Struts 2.5.13 and 2.3.34. If upgrade is not a possibility, Apache Struts proposes a workaround on its website.

DenyAll WAF and iSuite

All workflows using the Web Services Firewall (WSF) will block any command injection payloads contained in the XMLas the Struts exploits do. The DenyAll WAF Web Services Default can be taken as example. A XML Parsing before the ICX Engine is needed to detect efficiently injections and avoid false positives on the XML structure.

Here is a sample of the WSF Workflow:

The use of the XML Parsing node and other XML nodes requires the WSF licensing. For more details about the XML Parsing node, we invite you to see the documentation page for DenyAll’s customers. If you do not have the WSF license, we invite you to contact the DenyAll Support Team to mitigate the vulnerability exploit.

DenyAll rWeb

By default the Blacklist, Scoringlist and Command injection engine will block the XML payload but they will not block all injection cases due to the XML structure. We recommend to add a Blacklist custom rule to correctly mitigate any injection attempt:

Pattern for custom rule

<command\>[^\<]*+\<string\>.*\<\/string\>[^\<]*+<\/command\>

For any further details, we invite you to reply to this blog post or by contacting the DenyAll Support Team.

 

Xavier Quoniam, Marketing Manager on Linkedin
Xavier Quoniam, Marketing Manager
Xavier is our Marketing Manager. He is passionate about disruptive technologies that transform how companies communicate. He brings us its passion, curiosity, and fresh ideas to promote DenyAll and Cloud Protector at its best.