Apache Struts is a free, open-source, Model-View-Controller (MVC) framework for creating elegant, modern Java web applications, which supports REST, AJAX, and JSON.
In a blog post published Monday, Cisco's Threat intelligence firm Talos announced the team observed a number of active attacks against the zero-day vulnerability (CVE-2017-5638) in Apache Struts.
According to the researchers, the issue is a remote code execution vulnerability in the Jakarta Multipart parser of Apache Struts that could allow an attacker to execute malicious commands on the server when uploading files based on the parser.
"It is possible to perform an RCE attack with a malicious Content-Type value," warned Apache. "If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user."The vulnerability, documented at Rapid7's Metasploit Framework GitHub site, has been patched by Apache. So, if you are using the Jakarta-based file upload Multipart parser under Apache Struts 2, you are advised to upgrade to Apache Struts version 2.3.32 or 126.96.36.199 immediately.
Exploit Code Publicly Released
Since the Talos researchers detected public proof-of-concept (PoC) exploit code (which was uploaded to a Chinese site), the vulnerability is quite dangerous.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!Save My Seat!
The researchers even detected "a high number of exploitation events," the majority of which seem to be leveraging the publicly released PoC that is being used to run various malicious commands.
"Final steps include downloading a malicious payload from a web server and execution of said payload," the researchers say. "The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the Bill Gates botnet... A payload is downloaded and executed from a privileged account."Attackers also attempted to gain persistence on infected hosts by adding a binary to the boot-up routine.
According to the researchers, the attackers tried to copy the file to a benign directory and ensure "that both the executable runs and that the firewall service will be disabled when the system boots."
Both Cisco and Apache researchers urge administrators to upgrade their systems to Apache Struts version 2.3.32 or 188.8.131.52 as soon as possible. Admins can also switch to a different implementation of the Multipart parser.