The discovery of a new Apache Struts vulnerability that is being actively exploited in the wild has prompted both Cisco Talos and Apache to issue warnings to users. The zero-day vulnerability in the popular Java application framework was recently discovered by Cisco Talos researchers, and attacks have been occurring at a steady pace over the past few days.
The Apache Struts vulnerability – CVE-2017-5638 – is in the Jakarta Multipart parser, according to a statement released by Apache this week. The flaw could be exploited in an RCE attack with a malicious Content-Type value. Apache warns that” If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user.” Attackers have been using a publicly published proof-of-concept to conduct the attacks.
Cisco Talos researchers have observed two types of attack, one which probes to determine whether the vulnerability exists by performing a Simple Linux command. If the vulnerability is detected, information is gathered on the vulnerable system, such as performing an ipconfig to obtain the network configuration.
The second type of attack involves the installation of malware. The types of malware being installed are highly varied according to Cisco. Cisco reports that some users have had both the Linux and SUSE Linux firewalls disabled by attackers and malware has been downloaded and installed in a manner to ensure persistence.
Cisco Talos reports that attacks on vulnerable systems started almost immediately after the publication of the proof-of-concept. Attacks have been steadily occurring ever since. Unless vulnerable systems are patched, the Apache Struts vulnerability is likely to continue to be exploited.
Not all versions of Apache Struts are susceptible to attack. Versions 2.3.32 / 126.96.36.199 and more recent versions are not vulnerable to attack. Apache strongly recommends users of older, vulnerable versions to upgrade at the earliest possible opportunity.
If upgrading is likely to be problematic, there is another option. Users should switch from the Jakarta based file upload Multipart parser to the Pell parser plugin, which does not use the Common-FileUpload library.