New Apache Struts Vulnerability Could Be Worse than POODLE

September 06, 2017

The critical Remote Code Execution (RCE) vulnerability CVE-2017-9805 was recently discovered in Apache Struts 2, a popular open-source framework used to build and deploy Java-based web applications. RedMonk analyst Fintan Ryan stated that at least 65 percent of the Fortune 100 companies use web applications built with the framework, exemplifying the extensive risk that came with the discovery of the vulnerability.

This vulnerability allows an attacker to run arbitrary code on servers that run applications built with the Apache Struts framework and the popular REST (representational state transfer) communication plugin. It was revealed that the flaw stems from Apache Struts’ unsafe method of deserializing untrusted data. The affected versions of the framework are Struts 2.1.2 – 2.3.33 and Struts 2.5 – 2.5.12, and all web applications that use REST are vulnerable. If compromised, an attacker can use the vulnerability to find credentials, connect to the database server, and extract all data. TippingPoint customers have since been protected from threats that may exploit CVE-2017-9805 with a MainlineDV filter released in July.

Dating back as far as 2014, the discovery of vulnerabilities in Apache Struts has been an issue for servers that utilize the framework. Attackers have consistently used Object Graph Navigation Language (OGNL) expressions to easily execute arbitrary code remotely because Apache Struts uses it for most of its processes. But CVE-2017-9805 has the potential to outweigh the previous flaws damage-wise including even POODLE, which allowed attackers to conduct man-in-the-middle attacks and decrypt the traffic between web servers and end users.

Man Yue Mo, one of the security researchers who discovered CVE-2017-9805, said that the vulnerability poses a huge risk because aside from being widely used by publicly accessible web applications, the Apache Struts framework can be easily exploited using a web browser. Several airline booking systems use the framework, as well as a number of financial institutions that use it for internet banking applications.

Apache Struts has already released a patch today.

Trend Micro Solutions

Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects servers and endpoints from threats that abuse vulnerabilities such as CVE-2017-9805. OfficeScan’s Vulnerability Protection shields endpoints from identified and unknown vulnerability exploits even before patches are deployed. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats that may exploit CVE-2017-9805 even without any engine or pattern update.

Deep Security™ provides protection from any threats that may exploit this vulnerability via the following DPI rule:

  • 1008590 - Apache Struts 2 REST Plugin XStream Remote Code Execution Vulnerability (CVE-2017-9805)

Deep Security Inspector™ protects customers from this vulnerability via the following DPI rule:

  • 2490: CVE-2017-9805 – ApacheStruts XStream RCE Exploit - HTTP (Request)

TippingPoint has posted a Customer Shield Writer (CSW) file for this vulnerability that (available for customers to download on TMC). The applicable rules are as follows:

  • C1000001: HTTP: Apache Struts 2 XStreamHandler Command Injection Vulnerability
  • C1000002: HTTP: Apache Struts 2 XStreamHandler Suspicious XML Command Usage

TippingPoint customers are also protected from this threat via these MainlineDV filters:

  • 29572: HTTP: Apache Struts 2 XStreamHandler Suspicious XML Command Usage
  • 29580: HTTP: Apache Struts 2 XStreamHandler Command Injection Vulnerability

Trend Micro Smart Home Network customers are protected from this threat via this rule:

Updated: September 7, 2017 10:12 AM

Article was updated with Deep Security and TippingPoint rules for CVE-2017-9805


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.