Alert: A remote code execution flaw was discovered in the widely-used Apache Struts 2 framework. Although this vulnerability has been patched, attackers continue to exploit vulnerable (unpatched) systems.
This zero-day vulnerability affects file upload Multipart parser in the open-source Apache Struts 2 technology framework, which is widely used in Java applications. The vulnerability was reported by a Chinese developer, Nike Zheng.
The Struts 2 vulnerability (CVE-2017-5638) was publicly disclosed on March 6. This particular flaw lives in the Jakarta Multipart parser upload function in Apache. It allows an attacker to create and execute a maliciously crafted request (a malicious Content-Type value) on an Apache web server.
This Remote Code Execution flaw is critical because it allows attacks without authentication. Additionally, even the presence of the vulnerable Struts library in an app is enough to execute the attack.
Since the vulnerability is publicly disclosed, there are multiple public proofs-of-concept (PoC) exploit code out in the open. Anyone with Struts 2 code understanding can follow the simple PoCs for Remote Code Execution.
Some attackers even execute “whoami” commands first to determine if the system is vulnerable. In some cases, attackers have turned off the firewall.
Any product running on Struts 2.3.5 to Struts 2.3.31 and Struts 2.5 to 2.5.10. Administrators with custom changes on Struts source code should be extra cautious with the vulnerability.
According to the Cisco Identity Services Engine, Prime Service Catalog Virtual Appliance, and Unified SIP Proxy Software need fixing; but they are still investigating other products. VMware has also issued an advisory for Horizon Desktop-as-a-Service, vCenter Server, vRealize Operations Manager and vRealize Hyperic Server.
All the Indusface products, i.e. Total Application Security (TAS), Web Application Scanning (WAS), and Web Application Firewall (WAF) were configured to detect, report and protect against the Struts 2 vulnerability by default.
The Core Rule Set (CRS) in the Indusface Web Application Firewall is already protecting customers against these attacks by default. Both Indusface automated VA scans and manual penetration testing also include checks for the Apache Strut 2 flaw.
We understand that open source is an essential component of the application development and delivery framework for businesses. That’s why our suite of products help new-age companies
Claim your Free Forever Scan today to start securing your businesses against such critical zero-day threats.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. He was instrumental in building the product/service and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. He has proven experience (10+ years) in the security industry and has held various mgmt/leadership roles in Product Development, Professional Services, and Sales during his time at Entrust Data card.