Atomicorp

Security for Everyone
https://forums.atomicorp.com/

any plan to support CVE-2017-9805?

https://forums.atomicorp.com/viewtopic.php?t=8611

Page 1 of 1

any plan to support CVE-2017-9805?

Posted: Thu Sep 07, 2017 6:55 pm
by Monty Lee
Hi, team..

Do you have any plan to release modsecurity rule to support CVE-2017-9805 issue?

Here are the information you may refer.

snort rule
https://exchange.xforce.ibmcloud.com/co ... b1be8e2098
alert tcp any any -> any any (msg:"Detected Struts2 RCE S2-052";sid:20;content:"POST";nocase;http_method;content:"/struts2-rest-showcase/";nocase;http_uri;content:"<next class=\"java.lang.ProcessBuilder\">";nocase;http_client_body;

F5 :: Using "java.lang.ProcessBuilder" string match..
https://devcentral.f5.com/articles/apac ... 12143334=1

Thanks

Re: any plan to support CVE-2017-9805?

Posted: Fri Sep 08, 2017 1:58 pm
by hostingg
i see that in the rules

SecRule ARGS|XML:/* "(?:sun\.misc\.base64decoder|unmarshaller\.base64data)" \
"chain,phase:2,status:403,deny,log,auditlog,id:337206,rev:6,severity:2,t:none,t:lowercase,t:urlDecodeUni,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Struts RCE attack blocked'"
SecRule ARGS|XML:/* "javax?\.(?:io\.fileoutputstream|imageio\.spi\.|lang\.processbuilder)" "t:none,t:lowercase,t:urlDecodeUni"
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited