Vulners Subsriptions and Apache Struts RCE. If you work in IT Security Department of any large software developing company, you were probably searching for Apache Struts in your environment on this week.
And it’s all because of CVE-2017-5638:
Apache Struts is a free, open-source, Model-View-Controller (MVC) framework for creating elegant, modern Java web applications, which supports REST, AJAX, and JSON.
In a blog post published Monday, Cisco’s Threat intelligence firm Talos announced the team observed a number of active attacks against the zero-day vulnerability (CVE-2017-5638) in Apache Struts
This is a good example, that shows the usefulness of the Vulners.com service.
Just open cvelist:CVE-2017-5638 query and you will see all the objects related to this issue. This request works even before this CVE number appear on NVD and Mitre databases!
Here are: description of the vulnerability from The Hacker News, manual on how to use this vulnerability to gain server access from myhack58, Nessus local windows and remote cgi detection plugins.
This Nessus plugins should be available in Plugin Set since 201703081845
You can also search plugins with:
$ find /opt/nessus/lib/nessus/plugins -name "struts_2_5_10_1_rce.nasl"
/opt/nessus/lib/nessus/plugins/struts_2_5_10_1_rce.nasl
With slightly different request query=S2-045 you can also get full code of Struts2 S2-045 Remote Command Execution exploit from Packet Storm (it’s a pity that they don’t use CVE-2017-5638 in description)
The easiest way to get updates on new objects updates related to this issue is to subscribe on them in Vulners. Vulners now supports HTML, PDF and JSON type of reports, that will be attached to the email.
HTML and PDF is the same human readable information. JSON may be useful, if you want to write some scripts that will analyze email attachments and somehow react on them, for example create JIRA tickets or start vulnerability scan jobs.
To add new search query subscription add the query and email:
If you press on black icon with magnifying glass you will see preview of email template based on your query:
Press “Add” button and you will see new subscription in your Subscriptions list:
So, a small Life Hack to stay up-to-date with latest vulnerability news:
- Go to https://vulners.com/#subscriptions
- Subscribe on security content you need
- Get emails as soon as new objects in the query will appear in Vulners database
- …
- Profit!
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.