Trustwave Web Application Firewall Signature Update 4.51 Now Available

Trustwave Spiderlabs is pleased to announce the release of CorSigs version 4.51 for Trustwave Web Application Firewall (WAF) versions 7.6, 8.0, 8.5 and 9.0. These rules are written to detect attacks or classes of attacks on web applications and their components.

Release Summary

This release includes the following new signatures:

  • CVE-2017-12611:Apache Struts 2 - FreeMarker tag RCE
  • In Apache Struts 2.0.1 through 2.3.33 and 2.5 through 2.5.10, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
  • CVE-2017-9805:Apache Struts 2 - REST Plugin XStream RCE
  • The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
  • CVE-2017-9791:Apache Struts 2 - Showcase Remote Code Execution
  • The Struts 1 plugin in Apache Struts 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
  • CVE-2013-4316:Apache Struts - Dynamic Method Invocation Attempt
  • Apache Struts 2.0.0 through enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
  • CVE-2010-1870:Apache Struts - XWork ParameterInterceptors Bypass
  • The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the #context, #_memberAccess, #root, #this, #_typeResolver, #_classResolver, #_traceEvaluations, #_lastEvaluation, #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.

How to Update

No action is required by customers running versions 7.6, 8.0, 8.5 or 9.0 of Trustwave Web Application Firewall and whom subscribe to the online update feature. Their deployments will update automatically.

Please note that even if blocking actions are defined for a protected site, Simulation Mode for these rules is ON by default in order to allow site managers to inspect the impact of new rules before blocking relevant traffic. If you want to activate blocking actions for this rule, you must update the Actions for this signature in the Policy Manager.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.