What happened?

A new vulnerability was discovered in Apache Struts 2 that can lead to a possible Remote Code Execution (RCE) attack. The vulnerability is located in the core of Apache Struts. All applications that use Struts are potentially vulnerable, even when no additional plugins have been enabled.

Details of the vulnerability

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time, its upper action(s) have no or wildcard namespace.

Sources:

Statements on our products

Our products are not impacted as we do not use Apache Struts 2.

We recommend to update your Apache Struts 2 as soon as possible as this vulnerability has been fixed in Apache Struts 2.3.35 and 2.5.17.

R&S®Web Application Firewall

  • R&S®Web Application Firewall and i-Suite block some exploits by default but not all versions. To mitigate the RCE we recommend to add the following blocking rule in your ICX configurations:
Path matches regexp (?i:[\%\$]++\{++\(*+\#|\@(?:org\.apache\.struts2\.ServletActionContext\@|java\.lang\.Runtime@getRuntime\(\)\.)\w++\(|(?:^|\/)\$++\{++\(*+[\%\-\+\*\/\d]++\)*+\})

You have the possibility to create a custom pattern to apply it on each ICX configuration.

Rules are available in the following backups:

We will update the Command Injection pattern to block this vulnerability by default in the forthcoming security update release.

  • rWeb product is blocking exploits with the 'Scripting language injection' advanced engine. The PHP code injection option has to be enabled:

For those who are not using this advanced engine, you have to create a custom rule on each blacklist template. Filter type has to be 'URI' with the 'deny' action and the following regexp:

(?i:[\%\$]++\{++\(*+\#|\@(?:org\.apache\.struts2\.ServletActionContext\@|java\.lang\.Runtime@getRuntime\(\)\.)\w++\(|(?:^|\/)\$++\{++\(*+[\%\-\+\*\/\d]++\)*+\})

We will update the blacklist to block this vulnerability by default in the forthcoming security update release.

R&S®Cloud Protector

A custom rule has been deployed on all security profiles.

For any further details, we invite you to contact the Support Team.