You are here

Home › Struts2: incorrect default exclude patterns

Struts2: incorrect default exclude patterns

Submitted on 23. May 2015 - 13:50 by rischi.
Last update on 27. May 2015 - 13:01.
IDs: 
CVE-2015-1831, CB-K15/0640, S2-024
Keywords: 
Struts2
Description: 

An Apache struts2 vulnerability has been introduced in version 2.3.20. An attacker can compromise the internal applications state [1]. The vulnerability is fixed in version 2.3.20.1 which defines a better set of exclude parameters.

Airlock WAF is not affected because Apache Struts2 is not installed/used.

Resolution: 

If you are using Apache Struts2 2.3.20 on a back-end application we strongly recommend to update to version 2.3.20.1 or higher.

If you are not able to update Struts2, the vulnerability can be mitigated with a virtual patch on Airlock WAF. To do this you can define and activate the following parameter name deny rule for all affected mappings.

Pattern:

^(?:action|method):

Case-sensitive = OFF
Invert = OFF

In contrast to the fix in Struts2 2.3.20.1 where parameters with a corresponding name are no longer set on the internal parameter stack, this will block any request with a parameter of the corresponding from. If you enable this pattern please test your application for false positive blocks.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Airlock protects, requires changes in configuration
Reference: 
[1] S2-024
© Ergon Informatik AG