Vulners Subsriptions and Apache Struts RCE

If you work in IT Security Department of any large software developing company, you were probably searching for Apache Struts in your environment on this week.

And it’s all because of CVE-2017-5638:

Apache Struts is a free, open-source, Model-View-Controller (MVC) framework for creating elegant, modern Java web applications, which supports REST, AJAX, and JSON.
In a blog post published Monday, Cisco’s Threat intelligence firm Talos announced the team observed a number of active attacks against the zero-day vulnerability (CVE-2017-5638) in Apache Struts

This is a good example, that shows the usefulness of the Vulners.com service.

Just open cvelist:CVE-2017-5638 query and you will see all the objects related to this issue. This request works even before this CVE number appear on NVD and Mitre databases!

Vulners Apache Struts2 RCE

Here are: description of the vulnerability from The Hacker News, manual on how to use this vulnerability to gain server access from myhack58, Nessus local windows and remote cgi detection plugins.

This Nessus plugins should be available in Plugin Set since 201703081845

You can also search plugins with:

$ find /opt/nessus/lib/nessus/plugins -name "struts_2_5_10_1_rce.nasl"
/opt/nessus/lib/nessus/plugins/struts_2_5_10_1_rce.nasl

With slightly different request query=S2-045 you can also get full code of Struts2 S2-045 Remote Command Execution exploit from Packet Storm (it’s a pity that they don’t use CVE-2017-5638 in description)

The easiest way to get updates on new objects updates related to this issue is to subscribe on them in Vulners. Vulners now supports HTML, PDF and JSON type of reports, that will be attached to the email.

Vulners subscriptions

HTML and PDF is the same human readable information. JSON may be useful, if you want to write some scripts that will analyze email attachments and somehow react on them, for example create JIRA tickets or start vulnerability scan jobs.

To add new search query subscription add the query and email:

New subscription

If you press on black icon with magnifying glass you will see preview of email template based on your query:

Email template

Press “Add” button and you will see new subscription in your Subscriptions list:

All subsriptions

So, a small Life Hack to stay up-to-date with latest vulnerability news:

  1. Go to https://vulners.com/#subscriptions
  2. Subscribe on security content you need
  3. Get emails as soon as new objects in the query will appear in Vulners database
  4. Profit!

Leave a Reply

Your email address will not be published. Required fields are marked *