Hi, team..
Do you have any plan to release modsecurity rule to support CVE-2017-9805 issue?
Here are the information you may refer.
snort rule
https://exchange.xforce.ibmcloud.com/co ... b1be8e2098
alert tcp any any -> any any (msg:"Detected Struts2 RCE S2-052";sid:20;content:"POST";nocase;http_method;content:"/struts2-rest-showcase/";nocase;http_uri;content:"<next class=\"java.lang.ProcessBuilder\">";nocase;http_client_body;
F5 :: Using "java.lang.ProcessBuilder" string match..
https://devcentral.f5.com/articles/apac ... 12143334=1
Thanks
any plan to support CVE-2017-9805?
Re: any plan to support CVE-2017-9805?
i see that in the rules
SecRule ARGS|XML:/* "(?:sun\.misc\.base64decoder|unmarshaller\.base64data)" \
"chain,phase:2,status:403,deny,log,auditlog,id:337206,rev:6,severity:2,t:none,t:lowercase,t:urlDecodeUni,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Struts RCE attack blocked'"
SecRule ARGS|XML:/* "javax?\.(?:io\.fileoutputstream|imageio\.spi\.|lang\.processbuilder)" "t:none,t:lowercase,t:urlDecodeUni"
SecRule ARGS|XML:/* "(?:sun\.misc\.base64decoder|unmarshaller\.base64data)" \
"chain,phase:2,status:403,deny,log,auditlog,id:337206,rev:6,severity:2,t:none,t:lowercase,t:urlDecodeUni,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Struts RCE attack blocked'"
SecRule ARGS|XML:/* "javax?\.(?:io\.fileoutputstream|imageio\.spi\.|lang\.processbuilder)" "t:none,t:lowercase,t:urlDecodeUni"
If everything was easy, then the world wouldn't need engineers.