<iframe src="//www.googletagmanager.com/ns.html?id=GTM-WQV6DT" height="0" width="0" style="display:none;visibility:hidden">

SECURITY INFLUENCERS BLOG

Security influencers provide real-world insight and “in-the-trenches” experiences on topics ranging from application security to DevOps and risk management

CVE-2017-5638 – Struts 2 S2-045 Exploit Released – Protection Offered

Posted on March 10, 2017 by Arshan Dabirsiaghi, Co-Founder, Chief Scientist

Topics: Hacked

On March 6, a new remote code execution vulnerability was disclosed1 against Struts 2 (2.3.5-2.3.31 and 2.5-2.5.10.) Most likely, if you're using Struts 2, you are vulnerable to a one-shot attack which can run arbitrary system commands.

On March 7, while everyone was busy frantically grepping through Vault7, a devastatingly simple exploit was released to packetstorm2. Rapid7 researcher Tom Sellers released a great honeypot analysis3 showing weaponized mass exploitation late in the day Wednesday, March 8 coming from China.

Contrast Protect customers were able to defend their whole portfolio within hours of the first announcement using a Virtual Patch. We've also just released a new, more robust CVE Shield which allows customers to get code-level insights into this and any similar attacks. 

Broadly, the suggestions from the security community are really annoying for developers to hear. Most of the recommendations have been centered around these options:

  • Upgrade your version of Struts 2
  • Switch your underlying multi-part library
  • Tighten up your network ACLs

A few questions:

  • Does this sound like the type of advice you can apply to your organization at scale, in minutes?
  • Does this do anything to protect all of your apps that have Struts 2 bundled inside of them?
  • What sounds better – telling developers to upgrade, or telling them "upgrade when you can, we've got you covered!"?

We need to change how we think about securing our apps. 

Deep Security Instrumentation through Contrast Protect infuses apps with an immune system capable of adapting to new threats without having to ride the white-knuckle roller coaster of “patch before I get pwned."

1 https://cwiki.apache.org/confluence/display/WW/S2-045
https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
3 https://community.rapid7.com/community/infosec/blog/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild

Arshan Dabirsiaghi, Co-Founder, Chief Scientist

Arshan Dabirsiaghi, Co-Founder, Chief Scientist

Arshan is an accomplished security researcher with 10+ years of experience advising large organizations about application security. Arshan has released popular application security tools, including AntiSamy and JavaSnoop.

comments powered by Disqus

SIGN UP FOR BLOG UPDATES

"When we instrumented applications at the UK's largest Government Department with Contrast Assess, it was like handing our project teams an incredibly powerful debugging agent containing the sum total of application security knowledge.” 

Declan O'Riordan
Security Testing Manager
Testing IT, Ltd.
Laptop-Blue-Bg.jpg

schedule a demo now

Discover how easy it is to spot & stop attacks in real-time.
Laptop.png
Get Demo