Commander Commander
Commander
316 views

Struts S2-061

Had a customer of mine ask when WebInspect will be able to check for this new Struts vulnerability. I assume that the engineers are looking at this one and crafting the check for it now, but it got me also wondering how quickly the engineers turn around checks that are found like this?

0 Likes
2 Replies
Micro Focus Expert
Micro Focus Expert

 @KSKrug I've reached out to our SSR Team specifically regarding Struts S2-061 [CVE-2020-1753].

Generally speaking, new rules are released by the SSR Team quarterly. If there is a widespread vulnerability they will produce an off-cycle release of rules accordingly. They also keep in mind things such as the following (not an exhaustive list, but sampling):

  • impact is very limited
  • narrow focus (i.e., affects only upload feature)
  • in general we are trying to avoid checks for DoS problem as they usually have lower severity and if attack is successful we will not be bale to continue scan and can miss critical or other problems

You can always contact us if additional information is needed:

Contact Software Security Research

Alexander M. Hoole
Manager, Software Security Research
Micro Focus Fortify
hoole@microfocus.com
+1 (650) 258-5916

https://community.microfocus.com/t5/Security-Research-Blog/bg-p/off-by-on-software-security-blog
https://software.microfocus.com/en-us/software/security-research

Contact Fortify Technical Support

Micro Focus Fortify
https://softwaresupport.softwaregrp.com/
+1 (844) 260-7219

0 Likes
Commander Commander
Commander

Thank you for the reply. I've communicated this over to the development teams who were initially concerned about this latest Struts Vulnerability.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.