Cisco's Talos security team announced it discovered attacks against a zero-day vulnerability in Apache Struts, which Apache patched on Monday.
According to its website, "Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON."
The vulnerability, CVE-2017-5638, allows an attacker to execute commands on the server via content uploaded to the Jakarta Multipart parser component, used in some Struts applications.
"If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 126.96.36.199," said Lukasz Lenart, Apache Struts developer, on Monday.
Otherwise, developers are advised to use a servlet filter to "validate Content-Type and throw away request with suspicious values not matching multipart/form-data."
The danger is real as Cisco detected public proof-of-concept exploit code uploaded to a Chinese website on Thursday, and also detected several exploitation attempts.
The attacks ranged in complexity. In some cases, the attackers tried to execute simple "whoami" commands, most likely to test the exploit on a live server.
In other attacks, they tried more complex routines, chaining different shell commands together.
Attackers tried to disable Linux and SUSE Linux firewalls, download and run a malware payload, and also attempted to gain persistence on infected hosts by adding a binary to the boot-up routine. The malware payloads observed in the Struts attacks include an IRC bouncer, a DoS bot, and the Bill Gates DDoS bot.
"It is likely that the exploitation will continue in a wide scale since it is relatively trivial to exploit and there are clearly systems that are potentially vulnerable," said Nick Biasini, security researcher for Cisco Talos.