Overview:
Apache has recently issued an emergency security alert. Apache Struts was exposed to a high-risk (severity 5) RCE (remote command execution) vulnerability, tracked as CVE-2017-5638. A severity 5 RCE can lead to complete system compromise. As such, Apache Struts officials have confirmed the vulnerability (S2-045) and classified as high risk.
Struts is an open source project of the Apache Foundation Jakarta project team, which uses MVC mode to help Java developers use J2EE to develop Web applications. At present, Struts is widely used in large-scale Internet companies, government, financial institutions and other sites, and as the development of the underlying template to use.
The Qualys Platform has the ability to detect and address this vulnerability in many fashions including; utilizing Qualys VM (Vulnerability Management), WAS (Web Application Scanning) and WAF (Web Application Firewall). We will describe use for each below after discussing the details of this vulnerability.
Affected versions:
Apache Struts 2.3.5 – 2.3.31
Apache Struts 2.5 – 2.5.10
Details:
A remote code execution vulnerability exists in the Jakarta Multipart parser due to improper handling of the Content-Type header. An attacker can use malicious OGNL in Content-Type header to trigger this vulnerability, and then execute the system command.
Struts2 uploads using the default org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest class and by configuring the struts.multipart.parser property, you can specify a different parsing class.
As per documentation, struts.multipart.parser used by the fileUpload interceptor to handle HTTP POST requests, encoded using the MIME-type multipart/form-data, can be changed out. Currently there are two choices, jakarta and pell. The jakarta parser is a standard part of the Struts 2 framework needing only its required libraries added to a project. As from Struts version 2.3.18 a new implementation of MultiPartRequest was added – JakartaStreamMultiPartRequest. It can be used to handle large files.
It is important to note that the presence of vulnerable library is enough to exploit the vulnerability. The web application doesn’t necessary need to implement file upload functionality to exploit this vulnerability.
CVE Identifier:
CVE-2017-5638
Recommendation:
Upgrade to Struts 2.3.32 or Struts 2.5.10.1
Solution:
If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1. You can also switch to a different implementation of the Multipart parser.
The Qualys Platform:
Proper detection of the Apache Struts Jakarta CVE-2017-5638 RCE vulnerability can be tricky and detecting vulnerable systems within your environment can be a challenge if you don’t know where to start. Luckily Qualys is here to help.
Vulnerability Management (VM):
Qualys has released QID 11771 which can be found using a standard VM scan against your web servers. This solution may be leveraged when form based authentication is not necessary and the default location of Struts .action and/or .do remains constant. This VM check can be utilized at extremely large scale and efficiency. A free trial of Qualys VM is always available.
Web Application Scanning (WAS):
As mentioned above traditional VM (Vulnerability Management) detection techniques will not take form methods for authentication into account. URL redirects are also not supported with the former detection method. If form authentication and/or non-default paths and redirects are utilized within your Apache environments, utilizing Qualys WAS (Web Application Scanning) is the best solution. Qualys WAS is able to perform complex authentication methods as well as offers an enhanced crawling engine to locate those hard to find directories. This will allow you to detect this vulnerability at scale. QID 150173 has been added to WAS to cover this vulnerability specifically. And is included with Vulnsigs version 2.3.560-6 / WAS-4.1.96-1 and later. You can confirm your version of WAS by going to Help > About from the WAS module. A free trial of Qualys WAS is also always available.
Our Detection Methodology:
The detection makes use of the Content-Type HTTP header to send a specially crafted packet. The header is shown below:
Content-Type: %{#context[‘com.opensymphony.
xwork2.dispatcher.
HttpServletResponse’].
addHeader(‘X-Qualys-Struts’,3195*5088)}.multipart/
form-data
The request asks the webserver to multiple two numbers and can be used to request the web server to perform any other operation. In the example above the two numbers are 3195 and 5088. If the scanner received the correct answer from the webserver, i.e. 16256160 in this example it is concluded that the server is vulnerable and the response (with the request) is shown in the Wireshark screen capture below. The multiplication answer is in the HTTP response header.
Web Application Firewall (WAF):
The Qualys WAF (Web Application Firewall) adds the ability to easily block this vulnerability when upgrades or changes cannot be made due to change control or the possibility of breaking existing installations or legacy uses.
As you can see, a wide variety of custom rule conditions can be used to meet the specific security needs of your application.
Further details can be found here: Qualys WAF 2.0 Protects Against Critical Apache Struts Jakarta Vulnerability ( CVE-2017-5638 ) and a free trial of Qualys WAF is also always available.
Please feel free to contact us with any further questions or inquiries at any time.
Thank you.