You are here

Home › Apache Struts2 Vulnerabilities S2-048

Apache Struts2 Vulnerabilities S2-048

Submitted on 12. July 2017 - 9:02 by rischi.
Last update on 17. July 2017 - 18:06.
IDs: 
S2-048, CVE-2017-9791
Keywords: 
Struts2
Description: 

A critical Apache Struts2 vulnerability has been found which may allow remote code execution when using Struts 2.3.x with Struts 1 plugin and Struts 1 actions. For details see [1].

Airlock WAF is not affected because Apache Struts2 is not used.

Resolution: 

If you are using the Struts 1 plugin in Struts 2 on a back-end system we strongly recommend to apply the solutions described in [1] or to upgrade to the newest Apache Struts 2.5.x version.

Alternatively, the vulnerability can be mitigated with a virtual patch on Airlock WAF. To do this, configure a custom Deny Rule with the following parameter value pattern. Enable the Deny Rule on all mappings connected to an affected back-end.

%{

Case-sensitive = OFF
Invert = OFF

Note that this is the same virtual patch as described in the vulnerability report [2].

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution
Reference: 
[1] Apache Struts 2 - S2-048
[2] APACHE STRUTS VULNERABILITIES S2-028, S2-029, S2-030
© Ergon Informatik AG