The critical Remote Code Execution (RCE) vulnerability CVE-2017-9805 was recently discovered in Apache Struts 2, a popular open-source framework used to build and deploy Java-based web applications. RedMonk analyst Fintan Ryan stated that at least 65 percent of the Fortune 100 companies use web applications built with the framework, exemplifying the extensive risk that came with the discovery of the vulnerability.
This vulnerability allows an attacker to run arbitrary code on servers that run applications built with the Apache Struts framework and the popular REST (representational state transfer) communication plugin. It was revealed that the flaw stems from Apache Struts’ unsafe method of deserializing untrusted data. The affected versions of the framework are Struts 2.1.2 – 2.3.33 and Struts 2.5 – 2.5.12, and all web applications that use REST are vulnerable. If compromised, an attacker can use the vulnerability to find credentials, connect to the database server, and extract all data. TippingPoint customers have since been protected from threats that may exploit CVE-2017-9805 with a MainlineDV filter released in July.
Dating back as far as 2014, the discovery of vulnerabilities in Apache Struts has been an issue for servers that utilize the framework. Attackers have consistently used Object Graph Navigation Language (OGNL) expressions to easily execute arbitrary code remotely because Apache Struts uses it for most of its processes. But CVE-2017-9805 has the potential to outweigh the previous flaws damage-wise including even POODLE, which allowed attackers to conduct man-in-the-middle attacks and decrypt the traffic between web servers and end users.
Man Yue Mo, one of the security researchers who discovered CVE-2017-9805, said that the vulnerability poses a huge risk because aside from being widely used by publicly accessible web applications, the Apache Struts framework can be easily exploited using a web browser. Several airline booking systems use the framework, as well as a number of financial institutions that use it for internet banking applications.
Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects servers and endpoints from threats that abuse vulnerabilities such as CVE-2017-9805. OfficeScan’s Vulnerability Protection shields endpoints from identified and unknown vulnerability exploits even before patches are deployed. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats that may exploit CVE-2017-9805 even without any engine or pattern update.
Deep Security™ provides protection from any threats that may exploit this vulnerability via the following DPI rule: