Since the last post on how to mitigate the Struts 2 zero day on the wild we have received many queries from customers wondering if their legacy Struts 1 applications were also vulnerable to this same attack.
Further discussions with Struts security team have confirmed that although classloader manipulation has been verified, remote code execution has not been confirmed yet.
At Micro Focus we don’t wait for an exploited zero day before we take action to protect our customers. Therefore, while the Struts team works on a patch for this issue, we strongly recommend Struts1 developers to take the following actions to mitigate the risk.
Struts1 lacks the Struts2 Interceptor chain so we cannot benefit from the Parameter Interceptor to do the work for us. But we can easily build our own using Servlet Filters for the Struts’s org.apache.struts.action.ActionServlet Servlet.
Struts ActionForm bean population relies on ServletRequest.getParameterNames() to first get a list of all parameters being sent on the query and proceed to set those parameter on the ActionForm bean properties.
The following Filter will create a ServletRequest wrapper that overwrites getParameterNames() method and checks the parameter names against a customizable regular expression. If a parameter name matches this regular expression, it will be removed from the list returned by ServletRequest.getParameterNames().