Menu
Hackers exploit Apache Struts vulnerability to compromise corporate web servers

Hackers exploit Apache Struts vulnerability to compromise corporate web servers

The vulnerability allows attackers to execute malicious code on servers without authentication

Attackers are widely exploiting a recently patched vulnerability in Apache Struts that allows them to remotely execute malicious code on web servers.

Apache Struts is an open-source web development framework for Java web applications. It's widely used to build corporate websites in sectors including education, government, financial services, retail and media.

On Monday, the Apache Struts developers fixed a high-impact vulnerability in the framework's Jakarta Multipart parser. Hours later, an exploit for the flaw appeared on Chinese-language websites and this was almost immediately followed by real-world attacks, according to researchers from Cisco Systems.

The vulnerability is very easy to exploit and allows attackers to execute system commands with the privileges of the user running the web server process. If the web server is configured to run as root, the system is completely compromised, but executing code as a lower-privileged user is also a serious security threat.

What's even worse is that the Java web application doesn't even need to implement file upload functionality via the Jakarta Multipart parser in order to be vulnerable. According to researchers from Qualys, the simple presence on the web server of this component, which is part of the Apache Struts framework by default, is enough to allow exploitation.

"Needless to say we think this is a high priority issue and the consequence of a successful attack is dire," said Amol Sarwate, director of Vulnerability Labs at Qualys, in a blog post.

Companies who use Apache Struts on their servers should upgrade the framework to versions 2.3.32 or 2.5.10.1 as soon as possible.

Researchers from Cisco Talos have observed "a high number of exploitation events." Some of them only execute the Linux command whoami to determine the privileges of the web server user and are probably used for initial probing. Others go further and stop the Linux firewall and then download an ELF executable that's executed on the server.

"The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the bill gates botnet," the Talos researchers said in a blog post.

According to researchers from Spanish outfit Hack Players, Google searches indicate 35 million web applications that accept "filetype:action" uploads and a high percentage of them are likely vulnerable.

It's somewhat unusual that attacks have started so quickly after the flaw was announced and it's not yet clear whether an exploit for the vulnerability already existed in closed circles before Monday. 

Users who can't immediately upgrade to the patched Struts versions can apply a workaround that consists of creating a Servlet filter for Content-Type that would discard any requests not matching multipart/form-data. Web application firewall rules to block such requests are also available from various vendors.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments