It’s no secret that last year's Apache Struts vulnerability was devastating. This vulnerability caused the disclosure of millions of users' sensitive data. And now we have a new critical Struts vulnerability and organizations are scrambling to see if they are vulnerable. The flaw, CVE-2018-11776, is a "remote execution" class of vulnerability so it is as serious as they come (Read More). The Micro Focus Fortify SSR (Software security Research) team has released a new WebInspect check to identify this vulnerability. While a WebInspect Smart Update and a full scan will identify the vulnerability, you may want to run just a quick scan for the specific problem. Here are the steps to configure WebInspect to only check for Struts vulnerabilities including the newly discovered remote execution flaw.
1. Smart update to get the latest checks. Here you will see the new Struts check.
WebInspect Smart Update
2. Start a WebInspect "Basic Scan". Select the "Apache Struts" policy on the Coverage page of the Wizard.
Apache Struts Policy
3. Once the scan completes, you will see your results.
Thats it! Here is the Advisory Report from Micro Focus SSR:
Micro Focus Fortify Software Security Content
Fortify Software Security Research is pleased to announce the immediate availability of the following updates to Fortify WebInspect SecureBase:
Struts2 Remote Command Execution (S2-057)
This update includes a check to detect a critical remote code execution (RCE) vulnerability in Apache Struts2. Applications using Apache Struts2 versions 2.3.x up to 2.3.34, or versions 2.5.x up to 2.5.16, allow attackers to execute arbitrary OGNL expressions if they contain action results that are configured with no namespace or wildcard namespace and also have struts.mapper.alwaysSelectFullNamespace property set to true in the struts configuration. The configuration for redirect, postback, and action chain are affected. The vulnerability is identified by MITRE advisory CVE-2018-11776. It is recommended to upgrade Apache Struts2 version to the vendor recommended fixed versions. The check is identified by SecureBase id 11589 and can be accessed via Standard, or Apache Struts policies among others to test applications against this vulnerability. The check works on WebInspect versions 17.20 and above.