Apache Struts 2 needs patching, without delay. It's under attack now

Black hats testing remote code execution zero-day vulnerability

Infosec researchers have found a “dire” zero-day in Apache Struts 2, and it's under active attack.

If you're a sysadmin using the Jakarta-based file upload Multipart parser under Apache Struts 2, Nick Biasini of Cisco's Talos advises applying the latest upgrade immediately.

CVE-2017-5638 is documented at Rapid7's Metasploit Framework GitHub site.

Talos's input adds urgency to getting the upgrade, because the organisation “found a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released proof of concept that is being used to run various commands”.

It was Amol Sarwate, Qualys' director of engineering, who told El Reg the bug is dire because it's a “complete control” vuln. The company has dropped a tester admins can run against their own systems, described here.

First reported by Chinese developer Nike Zheng, the attack sends an invalid Content-Type value to the uploader, which throws an exception providing remote code execution.

Here's Talos' grab of a probe it's seen against a vulnerable system:

Talos grab of Apache attack probe

Black hats a-knocking at the door

To see if the system is vulnerable, the probe runs whoami.

The researchers have also seen malicious attacks which turn off firewall processes on the target and drop payloads: “The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the bill gates botnet”.

Talos says it's also seen attempts to drop persistent attacks into targets: “The adversary attempts to copy the file to a benign directory and then ensure that both the executable runs and that the firewall service will be disabled when the system boots.” ®


Biting the hand that feeds IT © 1998–2017