Threat Content Advisory: Apache Struts - CVE-2017-9805

Document created by RSA Product Team Employee on Sep 8, 2017Last modified by RSA Product Team Employee on Sep 8, 2017
Version 2Show Document
  • View in full screen mode


The Apache Software Foundation has patched a vulnerability identified as CVE-2017-9805. The vulnerability affects all versions of Apache Struts since 2008. In response to this we have created and released a parser to help identify systems exploited by the vulnerability. Upon this parser matching network traffic you'll see "apache struts CVE-2017-9805 attempt" appear in the 'Indicators of Compromise' meta-key and the command that was included in the exploit attempt will be present in the 'Action' meta-key. The parser, 'struts_exploit', is now available in RSA NetWitness Live.


Here's a sample attack that our researchers have seen in the wild:


EOPS Policy

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.