The eSentire Security Operations Center (SOC) is observing a widespread, marked increase of scanning and exploitation events across multiple targets originating from IP ranges across the globe.
What you should do about it:
We recommend scanning all internet facing servers for CVE-207-5638, and perform remediation on any vulnerable servers on their network immediately. Observed exploitations allow the execution of arbitrary commands and remote code on the target server without any authentication. This takes advantage of the Jakarta Multipart parser in Apache Struts versions 2 2.3.x before 2.3.32 and 2.5.x before 188.8.131.52.
- Validate if you are using the Apache Struts 2 web application framework.
- All versions except 184.108.40.206 and 2.3.32 are vulnerable and should be patched as soon as possible.
This security advisory has been issued as follow up to the CVE-2017-5638 Apache Struts 2 Remote Code Execution Vulnerability.