This week, it was reported that certain versions of the Apache Struts 2 Framework are vulnerable to Remote Code Execution attacks. Remote Code Execution is the ability for an attacker to execute their code on another server, in ways which were not intended by the application owner. Successful exploitation of this vulnerability may allow attackers to deliver malicious payloads, which vary in nature. Preliminary findings indicate that attackers are actively targeting this vulnerability for the purpose of probing, and in some cases for the distribution of malware. (See this blog for more.)
How Do I Know Whether My Applications Are Vulnerable?
Struts 2.3.5 – 2.3.31 and 2.5 – 2.5.10 are vulnerable versions. Once discovered, WhiteHat’s R&D Team immediately implemented the ability to identify this vulnerability.
For DAST, our dynamic scanner has been updated to include production-safe automated tests for this vulnerability, which our Security Engineers are actively validating.
For SAST, WhiteHat provides Software Composition Analysis, which identifies any known CVEs present in your libraries and frameworks. Our database of known CVEs was immediately updated to identify and report on the vulnerable versions of Apache Struts 2.
What Can I Do to Protect and Remediate?
If you are using a vulnerable version of Apache Struts 2, the recommended remediation is to upgrade to Apache Struts version 2.3.32 or 126.96.36.199. Once patched, any related WhiteHat findings will be automatically closed during the next iteration of your testing.