ADVISORY: Apache Struts2 S2-057 can lead to a Remote Code Execution attack

A critical remote code-execution vulnerability in Apache Struts 2, the popular open-source framework for developing web applications in the Java programming language, is threatening a wide range of applications, even when no additional plugins have been enabled. Successful exploitation could lead to full endpoint and eventually network compromise, according to researchers – who said that the flaw is more dangerous than the similar vulnerability used to compromise Equifax last year.

What happened?

A new vulnerability was discovered in Apache Struts 2 that can lead to a possible Remote Code Execution (RCE) attack. The vulnerability is located in the core of Apache Struts. All applications that use Struts are potentially vulnerable, even when no additional plugins have been enabled.

Detail of the vulnerability

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) have no or wildcard namespace.

Sources:

Statements on our products

Our products are not impacted as we do not use Apache Struts 2.

We recommend to update your Apache Struts 2 as soon as possible as this vulnerability has been fixed in Apache Struts 2.3.35 and 2.5.17.

R&S®Web Application Firewall

  • R&S®Web Application Firewall and i-Suite block some exploits by default but not all versions. To mitigate the RCE we recommend to add the following blocking rule in your ICX configurations:
    • Path matches regexp
    • (?i:[\%\$]++\{++\(*+\#|\@(?:org\.apache\.struts2\.ServletActionContext\@|java\.lang\.Runtime@getRuntime\(\)\.)\w++\(|(?:^|\/)\$++\{++\(*+[\%\-\+\*\/\d]++\)*+\})

You have the possibility to create a custom pattern to apply it on each ICX configuration. More details and backups are available in the documentation site.

We will update the Command Injection pattern to block this vulnerability by default in the forthcoming security update release.

  • rWeb product is blocking exploits with the ‘Scripting language injection’ advanced The PHP code injection option has to be enabled.
    • For those who are not using this advanced engine, you have to create a custom rule on each blacklist template. Filter type has to be ‘URI’ with the ‘deny’ action and the following regexp:
    • (?i:[\%\$]++\{++\(*+\#|\@(?:org\.apache\.struts2\.ServletActionContext\@|java\.lang\.Runtime@getRuntime\(\)\.)\w++\(|(?:^|\/)\$++\{++\(*+[\%\-\+\*\/\d]++\)*+\})

We will update the blacklist to block this vulnerability by default in the forthcoming security update release.

R&S®Cloud Protector

A custom rule has been deployed on all security profiles.

For any further details, we invite you to contact the Support Team.

 

About Rohde & Schwarz Cybersecurity

 Rohde & Schwarz Cybersecurity is a leading IT security company that protects companies and public institutions around the world against cyberattacks. The company develops and produces technologically leading solutions for information and network security, including highly secure encryption solutions, next‐generation firewalls and firewalls for business‐critical  web  applications, innovative approaches for working in the cloud securely as well as desktop and mobile security. The award winning and certified IT security solutions range from compact, allin‐ one products to customized solutions for critical infrastructures. To prevent cyberattacks proactively, rather than reactively, the trusted IT solutions are developed following the security by‐design approach. More than 500 people are employed at locations in Germany, France, Spain and the Netherlands.

Amaury le Roux - Marketing Assistant on Linkedin
Amaury le Roux - Marketing Assistant
Amaury is our marketing assistant. Passionate about new marketing strategies, he actively participates in our communication via our blog, website and social networks. He brings us all his enthusiasm to contribute to the success of our projects.

By continuing to browse on our website, you agree to the use of Cookies for: (i) the operation and interactivity of our website, (ii) measuring the audience of our website and analyse your browsing. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close