The open-source Apache Struts 2 technology is a widely used framework component in Java applications and it’s currently under attack. The attacks follow the March 6 disclosure by the Struts project for a Remote Code Execution (RCE) vulnerability identified as CVE-2017-5638.
The CVE-2017-5638 issue was patched the same day as the Struts project made the disclosure, though multiple security firms have observed that attackers are actively going after unpatched systems.
“It is possible to perform a RCE attack with a malicious Content-Type value,” the Apache Struts project warns in its advisory. “If the Content-Type value isn’t valid, an exception is thrown which is then used to display an error message to a user.”
John Matthew Holt, Waratek Founder and CTO, commented in an email statement, that the Struts vulnerability is critical because the attack can be achieved without authentication. To make matters worse, web applications don’t necessarily need to successfully upload a malicious file to exploit this vulnerability, as just the presence of the vulnerable Struts library within an application is enough to exploit the vulnerability.
“For users who have made custom changes on Struts source code, it could take days or weeks to upgrade,” Holt stated.
Rapid7 is among the security vendors that are actively tracking the Struts vulnerability as well as enabling organizations to test if they are at risk. Rapid7 is the lead commercial sponsor behind the open-source Metasploit penetration testing framework There is an in-development module for Metasploit now that enables researchers to test the Struts issue.
“Pen testers can download the current version of the code from GitHub but the module still needs some adjustments and quality control review before being added to the official project codebase,” Tom Sellers, Threat Analysis & Security Researcher at Rapid7, told eWEEK.
In addition to Metasploit, Rapid7 has operated the Heisenberg Cloud since November 2016, providing a cloud honeypot network on Amazon Web Services, Microsoft Azure, Digital Ocean, Rackspace, Google Cloud Platform and IBM SoftLayer—to see what kind of attacks are occurring.
“The Heisenberg Cloud honeypots are passive listeners so their contribution will be data on how widespread and frequent the attacks are,” Sellers explained.
As it turns out, the Heisenberg Cloud started seeing malicious requests related to the Apache Struts vulnerability on Tuesday, March 7th. The attack probes spiked on Wednesday March 8, nearly two days after the Struts project released its patch and security advisory for CVE-2017-5638. Though there has been attack traffic, it hasn’t been a growing trend.
“We’ve actually seen a drop off in related traffic since Wednesday March 8th,” Sellers said. “This may be a temporary lull as attackers figure out how to best leverage the vulnerability or are waiting for attention to move elsewhere.”
From an attack payload perspective, Sellers noted that to date, Rapid7 has not seen the CVE-2017-5638 issue used as a vector to install ransomware.
“The malware that we have seen to date has been DDoS related,” Sellers said.
Given that Struts is infrastructure software that is embedded in running systems, it’s not always an easy task for organizations to patch. In fact, Sellers expects that attackers will be making use of the CVE-2017-5638 Struts vulnerability for quite some time.
“We still see attacks using MS08-067 (Conficker) against Heisenberg Cloud honeypots a decade after its public disclosure and patch by Microsoft,” Sellers said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
