Trustwave Spiderlabs is pleased to announce the release of CorSigs version 4.51 for Trustwave Web Application Firewall (WAF) versions 7.6, 8.0, 8.5 and 9.0. These rules are written to detect attacks or classes of attacks on web applications and their components.
This release includes the following new signatures:
- CVE-2017-12611:Apache Struts 2 - FreeMarker tag RCE
In Apache Struts 2.0.1 through 2.3.33 and 2.5 through 2.5.10, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
- CVE-2017-9805:Apache Struts 2 - REST Plugin XStream RCE
The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
- CVE-2017-9791:Apache Struts 2 - Showcase Remote Code Execution
The Struts 1 plugin in Apache Struts 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
- CVE-2013-4316:Apache Struts - Dynamic Method Invocation Attempt
Apache Struts 2.0.0 through 126.96.36.199 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
- CVE-2010-1870:Apache Struts - XWork ParameterInterceptors Bypass
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 188.8.131.52, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the #context, #_memberAccess, #root, #this, #_typeResolver, #_classResolver, #_traceEvaluations, #_lastEvaluation, #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
How to Update
No action is required by customers running versions 7.6, 8.0, 8.5 or 9.0 of Trustwave Web Application Firewall and whom subscribe to the online update feature. Their deployments will update automatically.
Please note that even if blocking actions are defined for a protected site, Simulation Mode for these rules is ON by default in order to allow site managers to inspect the impact of new rules before blocking relevant traffic. If you want to activate blocking actions for this rule, you must update the Actions for this signature in the Policy Manager.