A patched released Monday for a critical vulnerability in Apache Struts 2, but that is not stopping attackers as it is undergoing assaults.
Apache Struts 2 is an open source web application framework for developing Java EE web applications.
The vulnerability, discovered and reported by Chinese developer Nike Zheng, is a remote code execution bug that affects the Jakarta file upload Multipart parser in Apache Struts 2. It allows attackers to include code in the “Content-Type” header of an HTTP request, so it can end up executed by the web server.
A Metasploit module for targeting the vulnerability is available.
System administrators should upgrade to version 2.3.32 or 126.96.36.199 as soon as possible.
It appears the vulnerability is easily exploitable as it requires no authentication, and two very reliable exploits have already published online. Also, vulnerable servers are easy to discover through simple web scanning.
SANS ISC and Cisco Talos said they have witnessed exploitation attempts and events since the patch came out.
“The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands,” said Cisco Talos’ Nick Biasini in a blog post. “Talos has observed simple commands (i.e. whoami) as well as more sophisticated commands including pulling down a malicious ELF executable and execution,”
Cisco released Snort rules to block exploitation attempts. However, these involve quite long “Content-Type” headers.