Apache Struts bug is under attack, patch now


Apache Software Foundation has patched a remote code execution vulnerability affecting the Jakarta Multipart parser in Apache Struts. Administrators need to update the popular Java application framework or put workarounds in place because the vulnerability is actively being targeted in attacks.

The issue affects Apache Struts versions 2.3.5 through 2.3.31 and versions 2.5 through 2.5.10. The presence of vulnerable code is enough to expose the system to attack—the web application doesn’t need to implement file upload for attackers to exploit the flaw, said researchers from .

Talos “found a high number of exploitation events,” said Cisco threat researcher Nick Biasini. “With exploitation actively underway, Talos recommends immediate upgrading if possible or following the workaround referenced in the above security advisory.”

The remote code execution vulnerability (CVE-2017-5638) in the Jakarta Multipart parser is the result of improper handling of the Content-Type header, Apache said in its . The header indicates the media type of the resource, such as when the client tells the server what type of data was sent as part of a POST or PUT request, or the server telling the client what type of content is being returned as part of the response. The flaw is triggered when Struts parses a malformed Content-Type HTTP header and lets attackers remotely take complete control of the system without needing any kind of authentication.

, which sends a GET request in certain directories and try to run ifconfig or ipconfig commands, to detect if the system is vulnerable, said Amol Sarwate, the director of engineering at Qualys. A is also already available.

If updating Struts is not an option, Cisco Talos researchers recommended configuring next-generation intrusion prevention systems, next-generation firewalls, and web application firewalls with the appropriate rules to block attempts to exploit the vulnerability. Cisco customers can get the latest sets of rules through Defense Center, FireSIGHT Management Center, or Snort.org (SID 41818, 41819), Biasini said.

“It is likely that the exploitation will continue in a wide scale since it is relatively trivial to exploit and there are clearly systems that are potentially vulnerable,” Biasini said.