On March 6, a new remote code execution vulnerability was disclosed1 against Struts 2 (2.3.5-2.3.31 and 2.5-2.5.10.) Most likely, if you're using Struts 2, you are vulnerable to a one-shot attack which can run arbitrary system commands.
On March 7, while everyone was busy frantically grepping through Vault7, a devastatingly simple exploit was released to packetstorm2. Rapid7 researcher Tom Sellers released a great honeypot analysis3 showing weaponized mass exploitation late in the day Wednesday, March 8 coming from China.
Contrast Protect customers were able to defend their whole portfolio within hours of the first announcement using a Virtual Patch. We've also just released a new, more robust CVE Shield which allows customers to get code-level insights into this and any similar attacks.
Broadly, the suggestions from the security community are really annoying for developers to hear. Most of the recommendations have been centered around these options:
- Upgrade your version of Struts 2
- Switch your underlying multi-part library
- Tighten up your network ACLs
A few questions:
- Does this sound like the type of advice you can apply to your organization at scale, in minutes?
- Does this do anything to protect all of your apps that have Struts 2 bundled inside of them?
- What sounds better – telling developers to upgrade, or telling them "upgrade when you can, we've got you covered!"?
We need to change how we think about securing our apps.
Deep Security Instrumentation through Contrast Protect infuses apps with an immune system capable of adapting to new threats without having to ride the white-knuckle roller coaster of “patch before I get pwned."
1 https://cwiki.apache.org/confluence/display/WW/S2-045
2 https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
3 https://community.rapid7.com/community/infosec/blog/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild