4월 | 계속되는 제로데이 공격: 아파치 스트러츠에서도 다수 발견 |
28일 | 2014년 4월 28일 | by Pavithra Hanchagaiah (Senior Security Researcher) |
최근 발견된 인터넷 익스플로러와 플래시의 제로데이는 시작에 불과했습니다. 아파치 스트러츠(Apache Struts)에서도 제로데이가 2개(CVE-2014-0112와 CVE-2014-0113)나 발견되어 아파치 스트러츠 그룹에서는 공식적인 패치가 이루어지기 전까지 사용자들에게 적절한 조치(S2-021)를 안내하고 있습니다.
The recent Internet Explorer and Flash zero-days were not the only zero-day threats that hit recently. Last Friday, the Apache Struts group released an advisory (S2-021) detailing two vulnerabilities (CVE-2014-0112 and CVE-2014-0113), and potential mitigation steps until an official patch is issued.
Apache Struts is a framework used to build and deploy Java-based web applications. In Apache Struts2, most of the core functionality is implemented as Interceptors. These can execute code before and after an Action is invoked and each Interceptor can be mapped to one or more Actions. Two security issues exist in Struts 2 due to improper handling of user supplied parameter values to ParametersInterceptor and CookieInterceptor.
Both these vulnerabilities affect Apache Struts versions from 2.0.0 until 2.3.16.2. It is strongly advised that Strust users upgrade to Struts 2.3.16.2. Otherwise, the user can exclude the class parameter from the default configuration as given below.
<interceptor-ref name=”params”>
<param name=”excludeParams”>(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
</interceptor-ref>
We have released the following new deep packet inspection (DPI) rules to protect against exploits leveraging these vulnerabilities:
원문 : Season of Zero-Days: Multiple Vulnerabilities in Apache Struts
by Pavithra Hanchagaiah (Senior Security Researcher)