Apache Struts

Cisco's Talos security team announced it discovered attacks against a zero-day vulnerability in Apache Struts, which Apache patched on Monday.

According to its website, "Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON."

A patch available is available

The vulnerability, CVE-2017-5638, allows an attacker to execute commands on the server via content uploaded to the Jakarta Multipart parser component, used in some Struts applications.

"If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or," said Lukasz Lenart, Apache Struts developer, on Monday.

Otherwise, developers are advised to use a servlet filter to "validate Content-Type and throw away request with suspicious values not matching multipart/form-data."

Exploit code available online

The danger is real as Cisco detected public proof-of-concept exploit code uploaded to a Chinese website on Thursday, and also detected several exploitation attempts.

The attacks ranged in complexity. In some cases, the attackers tried to execute simple "whoami" commands, most likely to test the exploit on a live server.

In other attacks, they tried more complex routines, chaining different shell commands together.

Apache Struts 0-day exploit code
Apache Struts 0-day exploit code (via Cisco)

Attackers tried to disable Linux and SUSE Linux firewalls, download and run a malware payload, and also attempted to gain persistence on infected hosts by adding a binary to the boot-up routine. The malware payloads observed in the Struts attacks include an IRC bouncer, a DoS bot, and the Bill Gates DDoS bot.

"It is likely that the exploitation will continue in a wide scale since it is relatively trivial to exploit and there are clearly systems that are potentially vulnerable," said Nick Biasini, security researcher for Cisco Talos.

Related Articles:

Active Attacks Detected Using Apache Struts Vulnerability CVE-2018-11776

Mirai, Gafgyt IoT Botnets Reach To the Enterprise Sector

New Fallout Exploit Kit Drops GandCrab Ransomware or Redirects to PUPs

Exploit Published for Unpatched Flaw in Windows Task Scheduler

Temporary Patch Available for Recent Windows Task Scheduler ALPC Zero-Day