We’ve updated Wallarm’s user management function with the ability to invite a new user via an invitation link. This new capability allows administrators to produce an invitation link that can be shared with unregistered users so they can sign up for their specific client. 

If provided, the link will populate the user’s email address automatically, and create a user within the client once the new user has submitted their name and password. Additionally, the link can be set with an expiration time and specific user role as well. The invite by link functionality is also available via the Wallarm API for automation use cases. 

We are excited to introduce our latest new feature: NIST CSF 2.0 Dashboards for the Wallarm platform. These dashboards offer a high-level overview of Wallarm security controls that comply with the NIST CSF version 2.0, empowering teams to effectively assess the security level of their APIs. Utilizing the NIST Cybersecurity Framework, our product now delivers comprehensive insights into your security posture, aligning with industry standards and best practices. This feature is designed to guide you through identifying, protecting, detecting, and responding to cybersecurity threats, ensuring a resilient infrastructure. Leverage this new dashboard to assess and improve your API and application security controls.

You can find more detailed information about this feature in our documentation.

Following a successful release of our 4.10 node including several version upgrades and a real-time credential stuffing detection, we are now excited to announce the first update.

This update addresses a number of minor vulnerability findings related to our Docker image and provides support for future feature releases. In this node update, the following vulnerability findings were addressed: CVE-2020-36327, CVE-2023-37920, CVE-2021-41816, CVE-2021-33621, CVE-2021-41819, CVE-2021-41817, CVE-2020-14343, CVE-2021-31799, CVE-2021-28965, CVE-2023-28755, CVE-2020-25613

For detailed information and instructions, please refer to our documentation.

In the ever-evolving landscape of cybersecurity, we're thrilled to announce an addition to the Wallarm arsenal: Credential Stuffing detection. Criminals are deploying automated bots using stolen credentials that aim to exploit overlapping logins across services. Users' tendency to reuse passwords makes businesses susceptible to this type of unauthorized access, fraud, and trust erosion. As digital footprints expand, defending against Credential Stuffing is now a business imperative.

Wallarm offers multiple means to detect credential stuffing, including detection of brute force attempts and behavioral detection with API Abuse Prevention. The new credential stuffing detection feature gives security analysts even more control. Every instance of a known-compromised credential in use can now be spotted. Users can: 

• Configure specific authentication endpoints for credential stuffing monitoring.
• Leverage recommendations from API Discovery to automatically identify endpoints used for authentication. 
• Configure triggers and notifications for credential stuffing events.

Wallarm, supported by a massive database of over 850 million compromised passwords, helps organizations quickly identify when user accounts have been compromised. This new feature expands Wallarm’s ability to protect against credential stuffing.

As businesses expand their online footprint, encompassing both WebApps and APIs, the need for a robust defense against Credential Stuffing has never been more crucial. Wallarm doesn't just meet this need; it exceeds expectations. 

Credential Stuffing detection is available with the Advanced API Security subscription and in brand new Wallarm node 4.10. You can find more detailed information about this feature in our documentation.

Wallarm has released a new version of the Wallarm node. Node 4.10 is designed to support new features, but also includes a number of updates. 

This version of the Wallarm node includes an optimized and more secure NGINX-based Docker image. Full details are included in our updated documentation. Some key changes are:

• The Docker image is now built on Alpine Linux.
• Updated to the latest stable version of NGINX, 1.24.0, replacing the previous 1.14.x version. 
• Resolves a number of vulnerabilities, including the HTTP/2 Rapid Reset Vulnerability (CVE-2023-44487)
• Support for processors with ARM64 architecture
• The Docker image is now built using our previously announced all-in-one installer.

Following the release of rogue API detection for shadow, orphan, and zombie APIs, we’re happy to announce the inclusion of rogue APIs in the API Discovery Dashboard. 

Users can now view the summary of rogue APIs discovered in the API Discovery Dashboard, along with an easy click-through to view the specific details for each category in the API Discovery interface. 

Comparing API specifications with data from API Discovery can help you identify and eliminate risks from unused and undocumented endpoints. 

Product Changelog

Wallarm has added rules for detecting exploitation of a critical Server-Side Template Injection (SSTI) vulnerability in Confluence Data Center and Server (CVE-2023-22527). The vulnerability allows an unauthenticated attacker to inject OGNL expressions into the Confluence instance and, thus, execute arbitrary code in the system. Since the nuclei template for vulnerability detection was published, we have observed multiple scanning attempts in client infrastructure. 

We highly recommend upgrading the Confluence Data Center and Server as soon as possible. If your confluence installation is exposed to the Internet, we highly recommend detaching the system from the Internet as soon as possible and checking the server for malicious Indicators-of-Compromise. 

Wallarm clients can also utilize and configure the platform's Virtual Patch functionality to block the exploitation attempts if nodes are configured in monitoring (not-blocking) mode. 

References:

NVD NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-22527 

Vendor’s Advisory: https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html

Vendor’s FAQ: https://confluence.atlassian.com/kb/faq-for-cve-2023-22527-1332810917.html

Nuclei Template: https://github.com/projectdiscovery/nuclei-templates/pull/8982?ref=blog.projectdiscovery.io 

We're thrilled to unveil a new feature in our API Security platform, the ability to receive notifications about detected Shadow, Zombie, and Orphan APIs. 

These Rogue APIs pose a significant risk to your organization. They could be Shadows hiding in plain sight, Zombies consuming resources, or Orphans left unattended. Rogue APIs can expose sensitive data, hog bandwidth, and leave your application vulnerable.

 Starting now, you can receive notifications about the newly detected Rogue APIs directly in your SIEM, SOAR, Log management system, or even your favorite messaging app. In each notification you can find all the necessary information, like the API host where the threat was spotted, the API specification used, and more.

Stay one step ahead of potential threats with our Rogue API Notifications feature! Your APIs deserve the best defense, and we're here to deliver.

You can find more information about this functionality in our documentation.

We've got some exciting news that's easy on the eyes – literally! Say hello to our brand new Dark Theme feature, a sleek and comfortable visual option now available in Wallarm. We know those long hours spent safeguarding digital realms can be tough on your eyes, so we've designed this theme with you in mind. It's not just about the cool, modern look; it's about reducing eye strain and making your experience with our product more comfortable, especially during those late-night monitoring sessions.

Simply click on your user profile icon in the upper right corner of the user interface to switch between light and dark themes. The Dark Theme offers a visually appealing interface with subtle contrasts and dark tones, significantly reducing screen glare. We believe this small change can make a big difference in your daily routine, enhancing focus and reducing fatigue. As always, your feedback is invaluable – let us know how this new feature works for you.

Wallarm has added rules for detecting exploitation of a Remote Code Execution vulnerability in Apache Struts2 (CVE-2023-50164). Wallarm clients are now able to observe any detected exploitation attempts by searching for CVE-2023-50164 in the Events/Attacks section.

About the vulnerability

This vulnerability exists in the framework’s handling of file upload parameters which can be abused to upload a malicious file, such as a web shell. Successful exploitation provides the ability to execute arbitrary code on the server. The vulnerability has a 9.8 CVSS Score (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 

The vulnerability can be exploited by unauthenticated, remote attackers and doesn’t require advanced technical knowledge. Public exploits for the vulnerability have been published on GitHub (exploit#1 and exploit#2).

Due to the prevalence of the Apache Struts2 framework across enterprise infrastructure and its public exposure on Internet-facing web servers, the vulnerability is being actively exploited and has received significant attention in the cybersecurity community. Just days after publishing, it became clear that this vulnerability would be one of the most popular and noticeable vulnerabilities of the year. 

It is highly recommended that organizations update the Apache Struts2 framework as soon as possible (vulnerable versions range from 2.5.0 to 2.5.32 and 6.0.0 to 6.3.0).