Vulnerability Overview
A critical vulnerability has recently been disclosed, and quickly became the subject of active exploitation in the wild. The vulnerability affects software that uses unpatched versions of Apache Struts, and allows attackers to trivially achieve remote code execution.
The exploit is very simple to execute remotely and does not require the attacker to have any prior access. Furthermore, the attack permits remote code execution as the user running the web server – typically considered to be critical in terms of impact. These factors combined render a very high risk vulnerability.
The nature of Apache Struts means that it will commonly be found on Internet-facing web applications, increasing its exposure to potential attackers. Apache Struts is a common Model View Controller (MVC) library for building other Java web applications. The vulnerability is being actively exploited across the Internet as a result, and exploit code is readily available.
Is my organisation vulnerable?
SureCloud vulnerability scanning customers can detect this vulnerability now by running scans from the SureCloud Vulnerability Management module.
If you are running any web application based on Apache Struts 2, and have not applied the relevant patches, you will be vulnerable. If these applications are available on the Internet, there is an imminent threat of compromise, or they may have been compromised already. Although we also strongly recommend fixing internal instances as soon as possible. Such applications may have been built in-house or purchased as proprietary software, and it is wise to check with the developers wherever you are unsure.
Versions of Apache Struts 2, prior to 2.3.32 and 2.5.10.1, are vulnerable.
Remediation
Update to the latest stable version of Apache Struts: at least 2.3.32 or 2.5.10.1. Depending on how the web application is being deployed, it may be necessary to recompile the application with the updated version of Apache Struts.Alternatively, as a workaround, change to a different multipart parser (only Jakarta is known to be vulnerable): https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries.
References
Active attacks in the wild: https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
Apache’s bulletin: https://cwiki.apache.org/confluence/display/WW/S2-045
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638