Mitigating Struts Vulnerability CVE-2018-11776

Posted by Brian Pillsbury, Richard Yew, Paul Rigor

By now, news of the recently discovered critical Apache Struts vulnerability has garnered significant worldwide attention. The new remote code execution (RCE) vulnerability (CVE-2018-11776) affects all versions of the popular Apache Struts 2 framework. The vulnerability exploits a deficiency in the framework’s URL action mapping component where certain actions, which are not associated with an explicit namespace, are not properly sanitized. Remote code execution attacks threaten the security of data and infrastructure, and the widespread popularity of the Struts 2 framework makes for a potentially very large attack surface.

In response to the threat, we have released updated rules for our Web Application Firewall (WAF) on Monday, August 27th. These rules are 431005 (Custom EC Rules category) and 2180104 (Known Vulns category). Our WAF customers can opt-in to the new rules by updating the WAF Ruleset to the latest version, either through the UI or API. We highly recommend to first enable the rules in Audit mode in order to observe its potential impact on traffic. Running the new rules first in an Audit profile vastly reduces the risk of false positives impacting production traffic.

The Edgecast WAF allows customers the unique ability to run two WAF instances in Audit and Blocking profiles in parallel. The rules can be easily applied in a self-service manner and deployed to the edge in under two minutes without introducing any risk to existing, production WAF configurations.

Our Security engineers have extensively analyzed our logging and data collection systems for evidence of attempted exploits of this critical Struts 2 vulnerability against customer endpoints. We were able to rapidly spot these incidents and create a rule which detects and actions this specific attack vector.

Thanks for reading! Visit us to learn more about our Security services.