Apache Struts2 VulnerabilityQualys Vulnerability Management Qualys Web Application Scanning

Frank CatucciDirector, Web Application Security, Product Management

2

What is Apache Struts?Struts is an open source project of the Apache Foundation Jakarta project team, which uses MVC mode to help Java developers use J2EE to develop Web applications. At present, Struts is widely used in large-scale Internet companies, government, financial institutions and other sites, and as the development of the underlying template to use.

3

Apache Struts CVE-2017-5638 VulnerabilityApache has recently issued an emergency security alert. Apache Struts was exposed to a high-risk (severity 5) RCE (remote command execution) vulnerability, tracked as CVE-2017-5638. A severity 5 RCE can lead to complete system compromise. As such, Apache Struts officials have confirmed the vulnerability (S2-045) and classified as high risk.

4

Vulnerability DetailsAffected versions:Apache Struts 2.3.5 – 2.3.31Apache Struts 2.5 – 2.5.10Details:A remote code execution vulnerability exists in the Jakarta Multipart parser due to improper handling of the Content-Type header. An attacker can use malicious OGNL in Content-Type header to trigger this vulnerability, and then execute the system command.

5

Vulnerability Details ImportanceIt is important to note that the presence of vulnerable library is enough to exploit the vulnerability. The web application doesn’t necessary need to implement file upload functionality to exploit this vulnerability.

6

Great, so what can I do?The Qualys Solution can help you multiple ways:

Detect withVulnerabilit

y Managemen

t

UtilizeAssetView and ThreatPROTECT

Detect withWeb Application

Scanning

Protect and defend with

Web Application Firewall

7

Detect with VMUnauthenticated standard install? Quickly scan all assets at scale!Qualys has released primary VM QID 11771 which can be found using a standard VM scan against your web servers. This solution may be leveraged when form based authentication is not necessary and the default location of Struts .action remains constant. This VM check can be utilized at extremely large scale and efficiency.

8

Detect with VM

9

Detect with VMQID 45258 - Apache Struts Detected On Linux Under Common DirectoriesThis QID looks for Struts files located under common Linux directories and struts2-core files recursively inside sub-directories.QID 45257 - Apache Struts Detected On Windows Under Common DirectoriesThe QID looks for WEB-INF\lib\struts2-core file recursively inside sub-directories.

10

Utilize AssetView and ThreatPROTECT

11

Detect with WAS

Form based or complex authentication? Non-standard installation paths? If so, WAS is the best solution. Qualys WAS is able to perform complex authentication methods as well as offers an enhanced crawling engine to locate those hard to find directories.  QID 150173 has been added to WAS to cover this vulnerability specifically.

12

Detect with WAS

Apache Struts2 VulnerabilityQualys Web Application Firewall

Vikas PhonsaDirector of Product Management, Web Application Firewall

14

What is a WAF ? • An appliance, server plugin, or filter that applies a set of security rules to HTTP traffic• Typically deployed as reverse proxy in front of the web applications• Protects web application from threats like SQL injection, cross-site scripting etc.• Allows virtual patching• Helps meet PCI DSS requirements

15

Qualys Platform Integrated Suite

16

Qualys WAF - Allowed Content TypesWhitelist content types allowed by your web applicationMalicious requests blocked before they reach your web servers

17

Qualys WAF - Custom Security RulesFlexible fine-grained custom security rules Whitelist or blacklist content types using a variety of conditionsRegular Expressions supported

18

New Attack Vectors

Struts2 application is using the Jakarta stream parser which is not the default parserThe size of the uploaded file, as mentioned in the Content-Length header, is larger than 2GBThe file name in the Content-Disposition header contains OGNL payload

19

Upgrade to Apache Struts versions 2.3.32 or 2.5.10.1 See workarounds in Apache security bulletins

Comprehensive Security

DETECT & BLOCK STRUTS BUG

Start Your Free Trial Today

Thank Youfcatucci@qualys.comvphonsa@qualys.com

www.qualys.com/struts