Hackers exploit Apache Struts vulnerability to compromise corporate web servers

The vulnerability allows attackers to execute malicious code on servers without authentication

Attackers are widely exploiting a recently patched vulnerability in Apache Struts that allows them to remotely execute malicious code on web servers.

Apache Struts is an open-source web development framework for Java web applications. It's widely used to build corporate websites in sectors including education, government, financial services, retail and media.

On Monday, the Apache Struts developers fixed a high-impact vulnerability in the framework's Jakarta Multipart parser. Hours later, an exploit for the flaw appeared on Chinese-language websites and this was almost immediately followed by real-world attacks, according to researchers from Cisco Systems.

The vulnerability is very easy to exploit and allows attackers to execute system commands with the privileges of the user running the web server process. If the web server is configured to run as root, the system is completely compromised, but executing code as a lower-privileged user is also a serious security threat.

What's even worse is that the Java web application doesn't even need to implement file upload functionality via the Jakarta Multipart parser in order to be vulnerable. According to researchers from Qualys, the simple presence on the web server of this component, which is part of the Apache Struts framework by default, is enough to allow exploitation.

"Needless to say we think this is a high priority issue and the consequence of a successful attack is dire," said Amol Sarwate, director of Vulnerability Labs at Qualys, in a blog post.

Companies who use Apache Struts on their servers should upgrade the framework to versions 2.3.32 or 2.5.10.1 as soon as possible.

Researchers from Cisco Talos have observed "a high number of exploitation events." Some of them only execute the Linux command whoami to determine the privileges of the web server user and are probably used for initial probing. Others go further and stop the Linux firewall and then download an ELF executable that's executed on the server.

"The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the bill gates botnet," the Talos researchers said in a blog post.

According to researchers from Spanish outfit Hack Players, Google searches indicate 35 million web applications that accept "filetype:action" uploads and a high percentage of them are likely vulnerable.

It's somewhat unusual that attacks have started so quickly after the flaw was announced and it's not yet clear whether an exploit for the vulnerability already existed in closed circles before Monday. 

Users who can't immediately upgrade to the patched Struts versions can apply a workaround that consists of creating a Servlet filter for Content-Type that would discard any requests not matching multipart/form-data. Web application firewall rules to block such requests are also available from various vendors.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?