Reputation: 879
Mitigating CVE-2017-5638 Apache Struts2 vulnerability
How do I mitigate the Struts 2 malicious Content-Type attack without updating my Java code?
Attack details S2-045.
Upvotes: 2
Views: 1270
Answers (3)
Reputation: 10349
You can add this one to your httpd.conf or inside your virtualhost, after you've enabled mod_rewrite:
# MITIGATE CVE-2017-5638
RewriteCond %{HTTP:Content-type} [$\#()%}{'"] [OR]
RewriteCond %{HTTP:Content-Disposition} [$\#()%}{'"] [OR]
RewriteCond %{HTTP:Content-Length} [$\#()%}{'"]
RewriteRule . "-" [F,L]
Upvotes: 0
Reputation: 36
I would add the '%', '}', and '{' characters to the condition as well as they are also not valid Content-type header entries and are present in the POC exploit payload for this vulnerability.
RewriteCond %{HTTP:Content-type} [$\#()%}{]
RewriteRule . [F,L]
Sorry if I got the syntax wrong as I have not tested this entry yet.
P.S. I would even venture to add the '@', '?' and ';' characters, but those may break an application if filtered as I think they are actually technically allowed, but I have never seen those in a content-type header in any of our application implementations.
Upvotes: 2
Reputation: 879
Apache's mod_rewrite can filter out the bad content type.
More advanced checks can be made - but this checks for characters we don't expect to see in the incoming content-type header:
RewriteCond %{HTTP:Content-type} [$\#()]
RewriteRule . [F,L]
Upvotes: 0
Related Questions
- how to remediate struts vulnerabilities
- Struts 2 S2-016 Vulenerability Mitigation Till Upgrade
- How to apply Spring Security on Struts 2
- Expression Language Injection vulnerability struts 2.5.13
- JBOSS Struts 2 application intrusions
- How to test EL have security issue with struts2 OGNL
- Struts2 serious security issue?
- Struts 2.3.24 throw deprecation warning
- Struts2 + Classloader Vulnerability + How to reproduce
- Struts2 Freemarker XSS Vulnerability