Tomcat Struts

Posted onby admin

A new remote code execution vulnerability in Apache Struts 2, CVE-2018-11776, was disclosed yesterday. While this vulnerability does not exist with a default configuration of Struts, it does exist in commonly seen configurations for some Struts plugins.

  1. Tomcat Struts Prices
  2. Tomcat Struts Review
  3. Tomcat Struts 404
  4. Tomcat Struts Installation

Update August 24, 2018: A dashboard for this vulnerability is now available to download.

Struts is an extension of Java Servlets and JSP. Struts is in direct competition with JSF (Java Server Faces). TODO struts functions, comparison of struts and JSF. Develop and Deploy Struts Application on Tomcat.

The Vulnerability

Struts improperly validates namespaces, allowing for OGNL injection, and can lead to full remote code execution on the target system. For a more detailed technical look at the vulnerability, please see our Threat Protection blog on this topic. Struts versions 2.3.34 and 2.5.16 and before are impacted.

  1. Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON.
  2. A wide range of truss for most applications. Available in plated and spigoted [email protected]

Recommended Response

Due to the ease of exploitation and relatively common configuration that is required, this vulnerability should be patched immediately for all applications that use Struts 2. Patched versions are Struts 2.3.35 and 2.5.17. A publicly available PoC has already been published, and active attacks against this vulnerability are most likely imminent.

Detections

Vulnerabilities in application frameworks are challenging to programmatically detect with traditional VM scanning, and multiple methods of detection are needed to ensure that Struts is found.

Because of this, Qualys has implemented two QIDs for detecting CVE-2018-11776 in Qualys Vulnerability Management:

  • QID 13251 – This detection includes both remote and authenticated checks:
    • Remote – This detection sends a specifically crafted payload in the request to check for command execution in .action, .go, .do, .jsp and .xhtml files under common web directories.
    • Authenticated (Linux/Unix) – This executes ps -ef command, looks for the presence of the Tomcat process and finds the location of struts2-core-x.jar file. We are investigating using this method on other middleware technologies.
  • QID 371151 – This authenticated scan detection uses our Tomcat auth to specify the location of the Tomcat configuration file. Once a Tomcat auth record is added, this detection reads the Tomcat location from the config and searches for struts-core.x.jar file under sub directories. It extracts the version from .jar file and compares with vulnerable Struts versions.
  • Both QIDs are included in Vulnerability Signatures version VULNSIGS-2.4.403-3 or later

Qualys has also implemented a QID for detecting CVE-2018-11776 in Qualys Web Application Scanning:

  • QID 150250 – This is an active detection within WAS that sends a specially-crafted payload to the scanned web application. A vulnerable application will show evidence of a command executing on the server and QID 150250 will be reported.

In addition to scanning, Qualys recommends that application frameworks such as Struts be documented in an Application Portfolio or CMDB to ensure all components of an application are recorded and can be audited for these kinds of vulnerabilities.

Protection

Even prior to the disclosure of this RCE vulnerability, Qualys Web Application Firewall users were already protected from exploits by every possible out-of-the-box template and generic policy. These templates, developed by security experts for Qualys WAF programmable inspection engine, are constantly tested against latests threats for the best detection rate and least false-positives.

Customers using manual policies instead of templates were potentially not protected though, depending on ELI (Expression Language Injection), CI (Code Injection) and RCE (Remote Command Execution) sliders settings, along with the blocking threshold.

Mitigating CVE-2018-11776 is possible by using the following methods:

  • native protection using a generic policy (QID-226017: Expression Language Injection and QID-226008: Remote Command Execution)
  • for those using a manual policy instead of an out-of-the-box template, you can alternatively create a custom rule with the following condition: request.path DETECT “qid/150178”
  • or of course, by applying a virtual patch to QID-150250 from within the WAS module ; which is equivalent to creating the rule manually, but quicker.

Today’s example – like “drupalgeddon2” a few months ago (CVE-2018-7600) – demonstrates how blocking zero-days is possible with Qualys WAF, without needing to define manual rules, giving CISO and IT Security organizations time for implementing sustainable fixes, while providing them with a tool to monitor and report any attempt to exploit the vulnerability.

  • Struts 2 Tutorial
  • Struts 2 Tags
  • Struts 2 Integrations
  • Struts 2 Useful Resources
  • Selected Reading

Tomcat struts

Tomcat Struts Prices

Our first task is to get a minimal Struts 2 application running. This chapter will guide you on how to prepare a development environment to start your work with Struts 2.

I assume that you already have JDK (5+), Tomcat and Eclipse installed on your machine. If you do not have these components installed, then follow the given steps on fast track −

Step 1 - Setup Java Development Kit (JDK)

You can download the latest version of SDK from Oracle's Java site − Java SE Downloads. You will find instructions for installing JDK in downloaded files, follow the given instructions to install and configure the setup. Finally, set PATH and JAVA_HOME environment variables to refer to the directory that contains java and javac, typically java_install_dir/bin and java_install_dir respectively.

If you are running Windows and installed the SDK in C:jdk1.5.0_20, you should be inputting the following line in your C:autoexec.bat file.

Alternatively, on Windows NT/2000/XP −

  • You can right-click on My Computer, Select Properties, then Advanced, then Environment Variables. Then, you would update the PATH value and press the OK button.

  • On Unix (Solaris, Linux, etc.), if the SDK is installed in /usr/local/jdk1.5.0_20 and you use the C shell, you would put the following into your .cshrc file.

On Unix (Solaris, Linux, etc.), if the SDK is installed in /usr/local/jdk1.5.0_20 and you use the C shell, you would put the following into your .cshrc file.

Alternatively, if you use an Integrated Development Environment (IDE) like Borland JBuilder, Eclipse, IntelliJ IDEA, or Sun ONE Studio, compile and run a simple program to confirm that the IDE knows where you installed Java, otherwise do proper setup as per the given document of IDE.

Step 2 - Setup Apache Tomcat

You can download the latest version of Tomcat from https://tomcat.apache.org/. Once you downloaded the installation, unpack the binary distribution into a convenient location.

For example in C:apache-tomcat-6.0.33 on windows, or /usr/local/apachetomcat-6.0.33 on Linux/Unix and create CATALINA_HOME environment variable pointing to these locations.

You can start Tomcat by executing the following commands on windows machine, or you can simply double click on startup.bat

Tomcat can be started by executing the following commands on Unix (Solaris, Linux, etc.) machine −

After a successful startup, the default web applications included with Tomcat will be available by visiting http://localhost:8080/. If everything is fine, then it should display the following result −

Further information about configuring and running Tomcat can be found in the documentation included here, as well as on the Tomcat website: https://tomcat.apache.org/

Tomcat can be stopped by executing the following commands on windows machine −

Tomcat can be stopped by executing the following commands on Unix (Solaris, Linux, etc.) machine −

Step 3 - Setup Eclipse (IDE)

All the examples in this tutorial are written using Eclipse IDE. I suggest that, you have the latest version of Eclipse installed in your machine.

To install Eclipse Download the latest Eclipse binaries from https://www.eclipse.org/downloads/. Once you download the installation, unpack the binary distribution into a convenient location.

For example in C:eclipse on windows, or /usr/local/eclipse on Linux/Unix and finally set PATH variable appropriately. Eclipse can be started by executing the following commands on windows machine, or you can simply double click on eclipse.exe

Eclipse can be started by executing the following commands on Unix (Solaris, Linux, etc.) machine −

After a successful startup, if everything is fine, it should display the following result −

Tomcat Struts Review

Step 4 - Setup Struts2 Libraries

Tomcat Struts 404

Now if everything is fine, then you can proceed to setup your Struts2 framemwork. Following are the simple steps to download and install Struts2 on your machine.

Tomcat Struts
  • Make a choice whether you want to install Struts2 on Windows, or Unix and then proceed to the next step to download .zip file for windows and .tz file for Unix.

  • Download the latest version of Struts2 binaries from https://struts.apache.org/download.cgi.

  • At the time of writing this tutorial, I downloaded struts-2.0.14-all.zip and when you unzip the downloaded file it will give you directory structure inside C:struts-2.2.3 as follows.

Tomcat Struts Installation

Second step is to extract the zip file in any location, I downloaded & extracted struts-2.2.3-all.zip in c: folder on my Windows 7 machine so that I have all the jar files into C:struts-2.2.3lib. Make sure you set your CLASSPATH variable properly otherwise you will face problem while running your application.