Qualys Blog

www.qualys.com
Frank Catucci

A Comprehensive Approach to Detect and Block the Struts Critical Vulnerability CVE-2017-5638

With hackers taking advantage of the Apache Struts vulnerability and aggressively attacking enterprises worldwide, Qualys can protect your organization from this critical bug, which is hard to detect and difficult to patch.

Recently disclosed, the Struts vulnerability is being actively attacked in the wild, as hackers jump at the chance to hit high-profile targets by exploiting this critical bug. Struts, an Apache open source framework for creating “enterprise-ready” Java web applications, is abundantly present in large Internet companies, government agencies and financial institutions.

For an informative walkthrough of the vulnerability and the Qualys detections, please view the Detect and Block Apache Struts Bug webcast recording.

The Lowdown on the Vulnerability

In its emergency security alert, Apache classified the vulnerability in Struts’ Jakarta Multipart parser as high risk, warning of remote code execution (RCE) attacks, which can lead to complete system compromises.

Specifically, the affected parser – present in Struts 2.3.5 to 2.3.31, and in 2.5 to 2.5.10 — mishandles file upload, which lets remote attackers execute arbitrary commands via a #cmd= string in a specially crafted Content-Type HTTP header, as described in the vulnerability’s CVE-2017-5638 entry.

In our own detailed analysis, we noted that exploits of this vulnerability don’t necessarily require upload functionality to be implemented on a web app, and that they can be carried out with only the presence of a vulnerable library.

Tackle Struts with Qualys

Struts_BugWhile the solutions sound straightforward on the surface — upgrade to Struts version 2.3.32 or 2.5.10.1, or switch to a different implementation of the parser – detecting the bug can be tricky for organizations, and patching it can be complicated and time consuming.

As Ars Technica stated recently, fixing the Struts vulnerability isn’t always straightforward because web apps often must be rebuilt and older apps may require exhuming “long-forgotten source code” and carefully testing the finished binary.

But Qualys can help you protect your organization. With AssetView, ThreatPROTECT, Vulnerability Management, Web Application Scanning and Web Application Firewall all bundled together in Qualys Suite, you can find Struts in your environment quickly, comprehensively and at scale, as well as shield your organization from Struts attacks while you identify and patch vulnerable systems.

AssetView and ThreatPROTECT

Qualys AssetView quickly gives your IT and security teams a complete, up-to date view of all Apache Struts servers in your environment. A centrally managed service, AssetView can monitor all Apache Struts images inside and outside of the environment, including within elastic clouds.

Using its unique asset tagging feature, you can build a dynamic tag to keep track of all Apache Struts servers. This tag will be continuously updated in real-time to flag any new Apache Struts servers that might pop up in the environment.

Meanwhile, Qualys ThreatPROTECT with its live feed gives you a quick view of all of your assets that have this Struts vulnerability, as well as a technical writeup from Qualys Vulnerability Labs detailing the vulnerability and current exploits.

struts TP AV

Comprehensive Detection with VM and WAS

Qualys offers two mechanisms to detect Struts whether it resides on an internet-facing web server or within an internal network or in the cloud.

Vulnerability Management (VM)

Qualys has released QID 11771, which can be found using a standard Qualys Vulnerability Management scan against your web servers.  This solution may be leveraged when form-based authentication is not necessary and the default location of Struts .action and/or .do remains constant. This VM check can be utilized at extremely large scale and efficiency.

UPDATE: QID 11771 now supports Tomcat authentication on Linux and Unix hosts. This added detection looks for “struts core” jar files in deployed web applications directories and lib folder of the Tomcat server. Once it successfully finds the jar file, version information is extracted from that jar files and compared.

struts vm

Qualys also offers QID 45258 and QID 45257 which could be useful in discovering where struts is installed:

45258 Apache Struts Detected On Linux Under Common Directories

45257 Apache Struts Detected On Windows Under Common Directories

These are informational QIDs, so they don’t find any vulnerability, but rather help in determining where struts could be installed.

Web Application Scanning (WAS)

If form authentication and non-default paths and redirects are utilized within your Apache environments, Qualys Web Application Scanning is the ideal solution.

Not only can Qualys WAS perform complex authentication methods, it also offers an enhanced crawling engine to locate those hard to find directories.

The ability to crawl is paramount in properly finding, testing and detecting this vulnerability across your entire IT infrastructure and application environments.

This method of testing will allow you to detect this vulnerability at scale. QID 150173 has been added to WAS to cover this vulnerability specifically, and is included with Vulnsigs version 2.3.560-6 / WAS-4.1.96-1 and later.

You can confirm your version of WAS by going to Help > About from the WAS module.

struts was

Our Detection Methodology:

The detection makes use of the Content-Type HTTP header to send a specially crafted packet. The header is shown below:

Content-Type: %{#context[‘com.opensymphony.xwork2.dispatcher.HttpServletResponse’].addHeader(‘X-Qualys-Struts’,3195*5088)}.multipart/form-data

The request asks the webserver to multiply two numbers and can be used to request the web server to perform any other operation. In the example above the two numbers are 3195 and 5088. If the scanner received the correct answer from the webserver, i.e. 16256160 in this example it is concluded that the server is vulnerable and the response (with the request) is shown in the Wireshark screen capture below. The multiplication answer is in the HTTP response header.

struts detection

Protect and Defend with Web Application Firewall (WAF)

Qualys Web Application Firewall adds the ability to easily block this vulnerability when upgrades or changes cannot be made due to change control or the possibility of breaking existing installations or legacy uses.

As you can see, a wide variety of custom rule conditions can be used to meet the specific security needs of your application.

Further details can be found here: Qualys WAF 2.0 Protects Against Critical Apache Struts Jakarta Vulnerability (CVE-2017-5638).

Get Started Now

To start detecting and protecting against the Apache Struts bug, get a Qualys Suite trial. All features described in this article are available in the trial.

Note: This blog post was updated on March 22, 2017 with additional detail.

(Amol Sarwate, Director of Qualys Vulnerability Labs; Jimmy Graham, Director of Product Management, AssetView; and Vikas Phonsa, Director of Product Management, Web Application Firewall, all contributed with this article.)

4 responses to “A Comprehensive Approach to Detect and Block the Struts Critical Vulnerability CVE-2017-5638”

  1. Will I be effected by this if I have no file upload form on my site? As in, can someone submit an ognl file to a regular form and have it parsed?

    • Hello Austin,

      It is important to note that the presence of vulnerable library is enough to exploit the vulnerability. The web application doesn’t necessary need to implement file upload functionality to exploit this vulnerability.

      Thank you.

    • Hello Charles,

      Currently, it does not appear that struts 1.x is affected by this vulnerability, as the affected code does not appear to be present in struts 1.x

      Thank you.

Leave a Reply