Apache Struts 2 Remote Code Vulnerability

The eSentire threat intelligence team has observed ongoing network attacks targeting vulnerable Apache Struts 2 web frameworks. The vulnerability CVE-2017-5638 is being actively exploited in the wild resulting in the compromise of integrity and confidentiality of web servers. All customers are advised to scan for and perform remediation on any vulnerable servers on their network immediately.

The Vulnerability

The exploitation of the Struts 2 vulnerability allows the execution of arbitrary commands and remote code on the target server without any authentication. Attackers have been observed installing various types of malware onto vulnerable systems. Compromised web servers can be used to spread malware to website visitors, or users, the compromised server can hijack for ransom or used facilitate further attacks that may result in financial and reputational damage to the affected organizations.

Recommended Actions

• Validate if you are using the Apache Struts 2 web application framework.
• Be aware that all versions except 2.5.10.1 and 2.3.32 are considered to be vulnerable and should be patched as soon as possible.
• If you are suspicious of compromise isolate the potentially affected server from the network and run a code validation to check for any unauthorized modifications.

eSentire Protection

• eSentire will continue to monitor the networks of our customers for signs of exploitations and activity related to this attack.
• Affected customers have been alerted as a part of monitoring practices.
• eSentire is working closely with the security community and partners to monitor any external developments of this threat.
• For CVS customers a check for CVE-2017-5638 will be included in the next weekly external and monthly internal scans. This scan can also be performed outside the schedule upon request if required it sooner.

Additional Details

• Vulnerable versions of Apache Struts include 2.3.5 through 2.3.31 and 2.5 through 2.5.10. These should be upgraded to 2.3.32 or 2.5.10.1, which are not vulnerable.
• The vulnerability affects the Jakarta file upload multipart parser, which is part of a standard deployment of Apache Struts 2.
• Exploitation involves sending an HTTP payload with a specially crafted Content-Type value to the vulnerable server.
• File upload functionality does not have to be enabled on the victim server in order for the vulnerability to be exploitable.

Additional Details

• Vulnerability information: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
• Exploitation framework: https://github.com/rapid7/metasploit-framework/issues/8064