Does anyone know of a way to see if Apache Struts is present on Windows systems?
Thanks,
Bob_K
Hi Bob,
Topical question!
Iâm working on this myself at the moment.
So far all that I have discovered is the need to find the .jar files (struts*.jar) but that minimal level of knowledge leads to a horrible and inefficient trawl of every drive.
I donât have admin access on any Apache servers to see if there might be a hint of any sort buried in the registry.
any hints gratefully received here 
2 Likes
Hi all,
As this is an Java lib that is shipped with other products it will be rather not visible in registry.
Iâm crafting signatures to be loaded to BigFix Inventory to check existence of struts2-core*.jar file in general and secondly to check against vulnerable version.
However the name of library could be changed - sometimes developers rename the name of the lib.
Here you can find the sample signature:
https://bigfix.me/signature/details/113
It will be shown as:
Publisher Name: (SECURITY)
Component Name: Struts2 Core Jar
Component Version: 0.ANY RELEASE
There is needed to:
- Run Import to generate new catalog and propagate it to endpoints
- Wait for or execute software scan on the endpoints
- Once scan is completed and data uploaded to BigFix Server - then run Import in BFI to have the results.
When you drill down into Details of discovered component there will be listed installation path with the name of the file. This signature includes file name in installation path as well.
Note: result will not include instances in directories excluded from scan - so e.g. within tmp subdirectory. Some Java App Servers extract EAR/WAR into their âtmpâ directory.
2 Likes
Thanks ArturZ.
We donât have BFI but at least I know that there is no magic sauce in the registry for this one.
For those interested another signature that will show only the computers where jar is in different version than
2.5.13 or 2.3.34 by checking jar file name.
2 Likes
Saw a report that the Equifax breach was due to Struts. And a smug Apache guy saying âall their fault, they shouldâve patched!â. Clearly itâs not that easy to identify and apply the patches.
1 Like
I know a good tool that could help them with that process âŚ
2 Likes
Yeah, but short of BFI doing a full filesystem scan, it really would be nice to have a better means to inventory Apache and Tomcat content.
Good thread. Have any of you made progress that you are willing to share detection for both Windows and Non-Windows.
Itâs the embedded components that i am interested in specifically. I believe thereâs a struts-config.xml containing formation, but the file location is unknown (to me)
Making progress but need help with this script adapted from - https://securityriskadvisors.com/blog/post/strutting-your-stuff-identifying-outdated-and-vulnerable-apache-struts-in-your-linux-environment/
The output file is being created with the path to the JAR file, however the line that returns version isnt. (unzip -p â${{JARFILE}â META-INF/MANIFEST.MF | grep -F Specification-Version)
Can any Linux scripters help clean this up to return Path to JAR | Version of JAR
parameter âscriptFileâ = "{parent folder of parent folder of client folder of current site}/detectStruts.sh"
parameter âoutputFileâ = "{parent folder of parent folder of client folder of current site}/Struts.txt"
delete "{parameter âscriptFileâ}"
delete "{parameter âoutputFileâ}"
createfile until end
#!/bin/sh
find / -type f -iname âstruts.jarâ |
while read JARFILE; do
printf "${{JARFILE} " >> "{parameter âoutputFileâ}"
unzip -p â${{JARFILE}â META-INF/MANIFEST.MF | grep -F Specification-Version
done
#clean up our session
exit 0
end
move __createfile "{parameter âscriptFileâ}"
wait chmod 555 "{parameter âscriptFileâ}"
wait /bin/sh â{parameter âscriptFileâ}â
2 Likes
I havenât tested this, but it looks like it may get what you want.
#!/bin/sh
JarFIles=`find / -type f -name struts.jar`
for Jar in $JarFiles; do
echo "$Jar" >> "{parameter "outputFile"}"
unzip -p "$Jar" META-INF/MANIFEST.MF |grep Specification-Version |awk -F: '{print $2}' >> "{parameter "outputFile"}"
done
This will find all files in / named struts.jar and then loop through all those files and echo the file path to the outputFile as well as the Specification-Version of that file. I am assuming the Specification-Version is colon delimited.
1 Like
Thanks, any ideas why this line is failing ?
Completed parameter âscriptFileâ = "{parent folder of parent folder of client folder of current site}/detectStruts.sh"
Completed parameter âoutputFileâ = "{parent folder of parent folder of client folder of current site}/Struts.txt"
Completed delete "{parameter âscriptFileâ}"
Completed delete "{parameter âoutputFileâ}"
Completed createfile until end
Completed #!/bin/sh
Completed JarFIles=find / -type f -name struts.jar
Completed for Jar in $JarFiles; do
Completed echo â$Jarâ >> "{parameter âoutputFileâ}"
Failed unzip -p â$Jarâ META-INF/MANIFEST.MF |grep Specification-Version |awk -F: â{print $2}â >> "{parameter âoutputFileâ}"
done
#clean up our session
exit 0
end
move __createfile "{parameter âscriptFileâ}"
wait chmod 555 "{parameter âscriptFileâ}"
wait /bin/sh â{parameter âscriptFileâ}â
Did you keep the backticks surrounding the find command? It looks like theyâre not there in the output above but it could be the forum formatting.
Actually, after typing this out, the forum is killing the backticksâŚtry this:
#!/bin/sh
JarFIles=$(find / -type f -name struts.jar)
for Jar in $JarFiles; do
echo "$Jar" >> "{parameter "outputFile"}"
unzip -p "$Jar" META-INF/MANIFEST.MF |grep Specification-Version |awk -F: '{print $2}' >> "{parameter "outputFile"}"
done@mlynch I really appreciate your help on this.
The output is extremely hard to parse primarily due to the number of characters, but what I am struggling more with is the version is being printed on a seperate line.
Is it possible to pipe delimiter (on a single line), the path to jar | version
It appears the print $2 thatâs causing this, however I dont pretend to be a shell scripter so any help appreciated.
many thanks for your time on this, its really appreciated.
Sure, thatâs easy enough @nicksberger
#!/bin/sh
JarFIles=$(find / -type f -name struts.jar)
for Jar in $JarFiles; do
JarVer=$(unzip -p "$Jar" META-INF/MANIFEST.MF |grep Specification-Version |awk -F: '{print $2}')
echo "$Jar|$JarVer" >> "{parameter "outputFile"}"
done
That should put the file path and version on one line delimited by a pipe (once again, this is untested but should be somewhat good). If you want to post some of the output I can see about maybe trimming it down some for you if youâd like.
1 Like
You also need to escape the curly bracket so it isnât interpreted as relevance substitution:
JarVer=$(unzip -p "$Jar" META-INF/MANIFEST.MF |grep Specification-Version |awk -F: '{{print $2}')
2 Likes
thanks so much for you help !