Indusface Total Application Security - Apache Struts RCE Vulnerability in REST Plugin

What is the Vulnerability?

Due to unsafe deserialization of Java code in the REST plugin, a remote code execution vulnerability is found in Apache Struts when Struts REST plugin with XSTREAM handler is used to handle XML payloads. The vulnerability is triggered when Apache Struts 2 REST plugin attempts to deserialize a specially crafted XML sent by the attacker and may consequently lead to Remote Code Execution which may lead to attacker taking complete control of the machine or launch further attacks from the machine

CVE Details

• CVE-2017-9805  

What are the risks?

Researchers have a simple working exploit for this vulnerability which is also publicly available. The risks are severe for an organization which has the vulnerability, as attackers can take complete control of the server. 

Do I need to worry about it?

This is an extremely critical vulnerability and customers who are affected by this vulnerability should take immediate action.

Am I protected with Indusface Web Application Firewall?

The core rule set in the Indusface Web Application Firewall protects you against Apace Strut RCE vulnerability (CVE-2017-9805) attacks by default. All our Indusface Total Application Security and WAF customers need not to worry about it. 

Will Indusface Web Application Scanning report this vulnerability?

New Signature based on heuristics built by Indusface Signature Dev team was updated and was part of our Sept 8th and later scans. 

Since it is an infra level vulnerability, Indusface WAS scanner, relies on response code to identify the vulnerability by applying certain heuristics and there are chances of false positive. If our scanner reports the vulnerability please contact our support team who will help you verify if the vulnerability is really present. 

Please note: In cases where application has validations or filtered response or customized response our application scanner would not be able to detect this vulnerability. For e.g. cases like: 

•     Content type validation  

•     Non-HTML response filtration 

•     Custom error message 

•     Firewall or Network Restriction for in-bound and out-bound traffic.