Using ModSecurity to Virtual Patch Apache Struts CVE-2017-5638
Using ModSecurity to Virtual Patch Apache Struts CVE-2017-5638 Many security vulnerabilities are found in libraries used by application code. When it’s impractical to quickly deploy a fix to code in a library, you may be able to use ModSecurity to intercept an exploit, “virtually patching” the affected code until you can upgrade the affected libraries. The Apache Struts application library vulnerability (CVE-2017-5638), which led to the breach of 143 million accounts at Equifax, is an example of exploit that can be virtually patched. The signature of the vulnerability is the presence of #cmd= or #cmds= strings in the Content-Type, Content-Disposition, or Content-Length HTTP headers. (More detailed explanation below) Using ModSecurity, we can create a virtual patch with a simple rule that searches for the malicious strings in the affected HTTP headers: SecRule REQUEST_HEADERS:Content-Type|REQUEST_HEADERS:Content-Length|REQUEST_HEADERS:Content-Disposition “@rx #cmds?=” “id:5638,auditlog,log,deny,status:403” Using SecRule we specify [ more… ]