Albert Ros

Apache Struts RCE (CVE-2017-5638)

Discussion created by Albert Ros on Mar 14, 2017
Latest reply on Mar 16, 2017 by Albert Ros

How reliable Qualys QID 11771 is for detecting this vulnerability? 


As it's explained in the article, the test consists on trying to exploit the command injection vulnerability, adding an specific header and searching that header into the server response.


As I understand, Qualys doesn't know at what urls has to attack, so we could be in front of many false negatives. None applications are deployed with the server name in medium/big environments, and one server can host different applications.

Qualys also isn't capable of detecting if Struts is present on the server as most of the times it isn't installed in the server as a package but deployed along a web application.


What do you think?