any plan to support CVE-2017-9805?

Customer support forums for the modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the real time modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
Monty Lee
New Forum User
New Forum User
Posts: 1
Joined: Wed Sep 06, 2017 10:41 pm
Location: Japan

any plan to support CVE-2017-9805?

Unread post by Monty Lee »

Hi, team..

Do you have any plan to release modsecurity rule to support CVE-2017-9805 issue?

Here are the information you may refer.

snort rule
https://exchange.xforce.ibmcloud.com/co ... b1be8e2098
alert tcp any any -> any any (msg:"Detected Struts2 RCE S2-052";sid:20;content:"POST";nocase;http_method;content:"/struts2-rest-showcase/";nocase;http_uri;content:"<next class=\"java.lang.ProcessBuilder\">";nocase;http_client_body;

F5 :: Using "java.lang.ProcessBuilder" string match..
https://devcentral.f5.com/articles/apac ... 12143334=1

Thanks
User avatar
hostingg
Forum User
Forum User
Posts: 63
Joined: Mon Mar 18, 2013 6:26 pm
Location: Earth

Re: any plan to support CVE-2017-9805?

Unread post by hostingg »

i see that in the rules

SecRule ARGS|XML:/* "(?:sun\.misc\.base64decoder|unmarshaller\.base64data)" \
"chain,phase:2,status:403,deny,log,auditlog,id:337206,rev:6,severity:2,t:none,t:lowercase,t:urlDecodeUni,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Struts RCE attack blocked'"
SecRule ARGS|XML:/* "javax?\.(?:io\.fileoutputstream|imageio\.spi\.|lang\.processbuilder)" "t:none,t:lowercase,t:urlDecodeUni"
If everything was easy, then the world wouldn't need engineers.
Post Reply