detect and block apache struts bug across your enterprise
Post on 05-Apr-2017
96 Views
Preview:
TRANSCRIPT
Apache Struts2 VulnerabilityQualys Vulnerability Management Qualys Web Application Scanning
Frank CatucciDirector, Web Application Security, Product Management
2
What is Apache Struts?Struts is an open source project of the Apache Foundation Jakarta project team, which uses MVC mode to help Java developers use J2EE to develop Web applications. At present, Struts is widely used in large-scale Internet companies, government, financial institutions and other sites, and as the development of the underlying template to use.
3
Apache Struts CVE-2017-5638 VulnerabilityApache has recently issued an emergency security alert. Apache Struts was exposed to a high-risk (severity 5) RCE (remote command execution) vulnerability, tracked as CVE-2017-5638. A severity 5 RCE can lead to complete system compromise. As such, Apache Struts officials have confirmed the vulnerability (S2-045) and classified as high risk.
4
Vulnerability DetailsAffected versions:Apache Struts 2.3.5 – 2.3.31Apache Struts 2.5 – 2.5.10Details:A remote code execution vulnerability exists in the Jakarta Multipart parser due to improper handling of the Content-Type header. An attacker can use malicious OGNL in Content-Type header to trigger this vulnerability, and then execute the system command.
5
Vulnerability Details ImportanceIt is important to note that the presence of vulnerable library is enough to exploit the vulnerability. The web application doesn’t necessary need to implement file upload functionality to exploit this vulnerability.
6
Great, so what can I do?The Qualys Solution can help you multiple ways:
Detect withVulnerabilit
y Managemen
t
UtilizeAssetView and ThreatPROTECT
Detect withWeb Application
Scanning
Protect and defend with
Web Application Firewall
7
Detect with VMUnauthenticated standard install? Quickly scan all assets at scale!Qualys has released primary VM QID 11771 which can be found using a standard VM scan against your web servers. This solution may be leveraged when form based authentication is not necessary and the default location of Struts .action remains constant. This VM check can be utilized at extremely large scale and efficiency.
8
Detect with VM
9
Detect with VMQID 45258 - Apache Struts Detected On Linux Under Common DirectoriesThis QID looks for Struts files located under common Linux directories and struts2-core files recursively inside sub-directories.QID 45257 - Apache Struts Detected On Windows Under Common DirectoriesThe QID looks for WEB-INF\lib\struts2-core file recursively inside sub-directories.
10
Utilize AssetView and ThreatPROTECT
11
Detect with WAS
Form based or complex authentication? Non-standard installation paths? If so, WAS is the best solution. Qualys WAS is able to perform complex authentication methods as well as offers an enhanced crawling engine to locate those hard to find directories. QID 150173 has been added to WAS to cover this vulnerability specifically.
12
Detect with WAS
Apache Struts2 VulnerabilityQualys Web Application Firewall
Vikas PhonsaDirector of Product Management, Web Application Firewall
14
What is a WAF ? • An appliance, server plugin, or filter that applies a set of security rules to HTTP traffic• Typically deployed as reverse proxy in front of the web applications• Protects web application from threats like SQL injection, cross-site scripting etc.• Allows virtual patching• Helps meet PCI DSS requirements
15
Qualys Platform Integrated Suite
16
Qualys WAF - Allowed Content TypesWhitelist content types allowed by your web applicationMalicious requests blocked before they reach your web servers
17
Qualys WAF - Custom Security RulesFlexible fine-grained custom security rules Whitelist or blacklist content types using a variety of conditionsRegular Expressions supported
18
New Attack Vectors
Struts2 application is using the Jakarta stream parser which is not the default parserThe size of the uploaded file, as mentioned in the Content-Length header, is larger than 2GBThe file name in the Content-Disposition header contains OGNL payload
19
Upgrade to Apache Struts versions 2.3.32 or 2.5.10.1 See workarounds in Apache security bulletins
Comprehensive Security
DETECT & BLOCK STRUTS BUG
Start Your Free Trial Today
Thank Youfcatucci@qualys.comvphonsa@qualys.com
www.qualys.com/struts
top related