Platform
Contrast Secure Code Platform

Contrast Scan (SAST)

Contrast Assess (IAST)

Contrast Protect (RASP)

Contrast Software Composition Analysis (SCA)

Contrast Serverless (Cloud Native)
Developer Central

Log4j Response

Pricing

How We Compare

Languages

Integrations
Solutions
BY USE CASE

Why IAST?

DevSecOps

Automated Penetration Testing

AppSec Monitoring

API Security

Software Supply Chain Security

Runtime Protection

Software Bills of Materials (SBOMs)

GitHub CI/CD

Compliance Testing

Services

BY DEPARTMENT

Dev and DevOps Teams

Security

DevSecOps

CISO

BY INDUSTRY

Government

Financial Services

Healthcare

Others
Partner
Technology Partners

Systems Integrators

Ecosystem Integrations

Managed Security Services Providers

Channel Partners Overview

Cloud Partners

GitHub
Partner Program Overview

Become a Partner

Find a Partner

Visit Partner Portal
GITHUB ACTIONS BLOG SERIES, PART 1: PIPELINE NATIVE CODE ANALYSIS

Read the Blog
Customers
Company
About Us

Leadership Team

Culture & Careers

Women of Contrast

Contact Us
Blog

Events & Webinars

Newsroom

Podcast

Awards
Contrast Security recognized as a Visionary by Gartner in Application Security Testing.

Learn More
Resources
Contrast for Developers

Contrast Secure Code Learn Hub

Contrast Community

Resource Center

OWASP Top 10

Accountability & Transparency

SBOMs

ContrastLive

Support

Services

Trust Center

Documentation

Product Release Notes

Blog

Podcast

Events

Glossary
Contrast Incident Response Hub

Spring4Shell Vulnerability

Log4j Vulnerability

Weekly CISO Update

Trust Center
Developers

VULNERABILITY ALERT: CVE-2017-9805 – Struts S2-052 Exploit Released, Protection Offered

By Arshan Dabirsiaghi, Co-Founder, Chief Scientist

September 6, 2017

VULNERABILITY ALERT: CVE-2017-9805 – Struts S2-052 Exploit Released, Protection Offered

On Tuesday, September 5, 2017, a critical new Remote Code Execution (RCE) vulnerability was disclosed against all previous versions of the Apache Struts 2 REST Plugin [1] available in those packages with Struts 2 between 2.0.0 and 2.5.12 (inclusive). The library uses XStream to deserialize HTTP input without any type enforcement, allowing attackers to specify unexpected types and cause arbitrary and malicious behavior.

Exploitation can occur in a single, possibly unauthenticated HTTP request. However, unlike previous Struts 2 vulnerabilities, the likelihood of weaponized mass exploitation of this vulnerability is estimated to be low for the following reasons:

This vulnerability only affects applications that use Struts 2 as well as the Struts 2 REST Plugin. ZDNet, amongst others, are overestimating the prevalence of the vulnerability [2] because they assume that everyone using Struts 2 is also using the Struts 2 REST Plugin. We identified less than 1% of the Java applications we’re in charge of assessing and protecting using Struts 2 REST Plugin. The metrics available on Maven show that the Struts 2 Core library has 167 downstream consumers [6], while the Struts 2 REST Plugin library has 9 [7] which indicates its volume of usage.
The vulnerability may require authentication to exploit.

However, targeted exploitation is not technically challenging and exploit kits like Metasploit are in the process of adding it as of this writing [3].

CVE IMPACT:

Given that this is an arbitrary remote code execution vulnerability, the impact is critical. Successful exploitation would allow a complete host takeover, including disclosure of any sensitive assets, data corruption, and a permanent foothold in the network for further attacks.

CONTRAST PROTECTION:

Contrast released a new version of Protect (SaaS deployment) on Wednesday, September 6, 2017 at approximately 6:20 PM EDT, which provides full protection against this vulnerability, as well as broad protection against future deserialization attacks. Customers who are using Protect (SaaS deployment) are now protected against this CVE and need not take further action.

(Contrast Labs has done landmark research in deserialization flaws. In fact, the exploit for this issue is technically very similar to an exploit we released for CVE-2016-0792, a deserialization vulnerability against Jenkins we disclosed in 2016.)

Contrast can protect against this vulnerability across the entire SDL, from early in development all the way through production. Simply adding the Contrast agent to your development, test, and production environments quickly provides broad protection against this and other vulnerabilities.

Contrast Assess has accurately reported this vulnerability to development teams out of the box, as well as a variety of other deserialization vulnerabilities. Contrast will now specifically alert today on any usage of the vulnerable versions of this library in your organization.

Contrast Protect defends applications and APIs against many of the possible ways to exploit this vulnerability out of the box. We have enhanced this protection to provide broad protection against future deserialization attacks.

OTHER DEFENSE OPTIONS:

For applications that do not have Contrast Protect in place, there is really only one other option. Upgrade to the latest version of Struts 2.5.13 or Struts 2.3.34, which will require recoding, retesting, and redeploying these applications.

TIMELINE:

Sept 5, 10:30 AM EDT - lgtm announces vulnerability discovery [4].
Sept 5, 10:00 PM EDT - exploit from China published to GitHub [5].
Sept 5, 11:30 PM EDT - Contrast Labs verifies exploitability and identifies limited product gaps.
Sept 6, 10:00 AM EDT - Contrast Engineering and Contrast Labs perform final testing on Java Agent product changes and begins production deployment.
Sept 6, 6:20 PM EDT - Last region has Java Agent deployed.

[1] https://struts.apache.org/docs/s2-052.html
[2] http://www.zdnet.com/article/critical-security-bug-threatens-fortune-100-companies/
[3] https://github.com/rapid7/metasploit-framework/pull/8924
[4] https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement
[5] https://github.com/jas502n/St2-052/commit/471d519276230e4bdc878326a5714338669e6055#diff-04c6e90faac2675aa89e2176d2eec7d8
[6] https://mvnrepository.com/artifact/org.apache.struts/struts2-core/usages
[7] https://mvnrepository.com/artifact/org.apache.struts/struts2-rest-plugin/usages

Hacked Contrast News

Arshan Dabirsiaghi, Co-Founder, Chief Scientist

Arshan is an accomplished security researcher with 10+ years of experience advising large organizations about application security. Arshan has released popular application security tools, including AntiSamy and JavaSnoop.

Thoughts on Modern Security Practices and Security Frameworks

A Week of Web Application Hacks and Vulnerabilities

BY USE CASE

BY DEPARTMENT

BY INDUSTRY

GITHUB ACTIONS BLOG SERIES, PART 1: PIPELINE NATIVE CODE ANALYSIS

Contrast Security recognized as a Visionary by Gartner in Application Security Testing.

Contrast Incident Response Hub