Apache Struts Vulnerability and Detection Reference

Discussion created by fmc on May 21, 2014



Within VM the scanner is designed to find vulnerabilities in known applications. It will not run a full web crawler against the target web application similar to a dedicated web application scanner. For Struts vulnerability detection the VM scanner looks for the first .action file in the default web page and launches detection probes against it. The VM scanner also checks if Struts installed example files (like HelloWorld.action and others) are on the target. If the .action file is not found in the default webpage then the VM scanner will not be able to detect vulnerabilities in custom web applications that are based on the Struts framework. This will result in false negatives. The most accurate way to scan for Struts vulnerabilities is with the Qualys WAS product.


The Qualys WAS scanner is able to run a full web crawler against the target web applications and find <any>.action filename in any location not limited to the default location or default webpage. The payload is then delivered to the URL with a file that ends in .action and it uses a specific test to find vulnerable Struts. This is a very accurate detection method and again the most accurate way to detect Apache Struts vulnerabilities.


The new WAS QID is 150127


150127 will cover the following CVEs:

- CVE-2014-0094

- CVE-2014-0050

- CVE-2014-0112

- CVE-2014-0113