Shulou(Shulou.com)06/01 Report--

Apache Struts2, 3.8-3.9 of 2017, has a vulnerability that has a wide range of effects and a high level of harm. Light system file infection, serious system paralysis.

The National Information Security Vulnerability Library (CNNVD) has received a submission regarding Apache Struts2 (S2-045) Remote Code Execution Vulnerability (CNNVD-201703-152), The National Information Security Vulnerability Database (CNNVD) tracks this analysis as follows:

Details can be found on the official website:

http://www.cnvd.org.cn/flaw/show/CNVD-2017-02474

360：http://bobao.360.cn/interref/appdetail/43.html

1. Vulnerability profile

Apache Struts is an open source project maintained by Apache Software Foundation. It is an open source MVC framework for creating enterprise-level Java Web applications. It mainly provides two versions of framework products: Struts 1 and Struts 2.

Apache Struts versions 2.3.5 - 2.3.31 and 2.5 - 2.5.10 are vulnerable to remote code execution (CNNVD-201703-152, CVE-2017-5638). The vulnerability is due to the upload feature's exception handling function not properly handling error messages entered by the user. The vulnerability could be exploited by a remote attacker to execute arbitrary commands on the affected server by sending malicious packets.

2. Vulnerability hazard

*** The vulnerability can be exploited by sending maliciously constructed HTTP packets to execute system commands on the affected server, further controlling the server, causing denial of service, data leakage, website tampering, etc. Since the exploit does not require any preconditions (such as enabling dmi, debug, etc.) and enabling any plug-ins, the vulnerability is more serious.

3. Repair measures

Apache has issued a security advisory regarding the vulnerability. Please check whether affected users are affected by this vulnerability in time.

3.1) Self-examination method

Users can view the struts-core.x.x.jar file in the web directory/WEB-INF/lib/, if this version is vulnerable between Struts 2.3.5 and Struts 2.3.31 and Struts 2.5 to Struts 2.5.10.

3.2) Upgrade repair

Affected users can upgrade to Apache Struts 2.3.32 or Apache Struts 2.5.10.1 to eliminate the vulnerability.

http://struts.apache.org/download.cgi#struts25101

3.3 Temporary relief

If it is inconvenient for users to upgrade, the following temporary solutions can be adopted:

Delete commons-fileupload-x.jar file (this will make uploads unavailable). Remember not to rashly implement this method, otherwise the website will not be accessible phenomenon, should ask the corresponding developers, verify and then delete.

4. Reflections after loopholes:

4.1 Security isolation, vulnerability investigation, and business operation guarantee.

4.2 There is WEB cluster support to prevent business from not functioning properly.

4.3) Cloud Virtual Machine is better to do WEB, after all, professional inspection mechanism is better.

4.4 Reliable backup mechanism to ensure data integrity.

4.5 Backdoor *** detection (detecting whether system commands have been tampered with), vulnerability scanning, system security protection.

4.6 Log system support (reasonable judgment is the system due to what total way ***), as well as behavioral auditing.

4.7 Security protection after vulnerability

...

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.