Last week a new vulnerability affecting Apache Struts was reported (CVE-2017-5638) that affects the Apache Struts Jakarta Multipart parser. The vulnerability allows an unauthenticated attacker to execute code in the affected system by creating a specially crafted Content-Type HTTP header.
Starting last Thursday (March 9, 2017), we have seen a high number of attackers trying to exploit this vulnerability. Different payloads have been observed, with some examples as follows:
As of today, using the telemetry we received from the AlienVault Open Threat Exchange (OTX), we have identified more than 400 unique sources that are attempting to exploit this vulnerability.
Indicators of Compromise
To address this threat, the AlienVault Labs team has created a Pulse in the Open Threat Exchange (OTX) with the collection of payloads that are being delivered.
Since this vulnerability is being actively exploited in the wild, our recommendation is to upgrade your Apache Struts version as soon as possible.
The vulnerable versions of Apache Struts are:
- Struts 2.3.5 - Struts 2.3.31
- Struts 2.5 - Struts 2.5.10
Upgrading to the following versions resolves the vulnerability:
For more information, you can check Apache’s documentation HERE.
The following example shows a successful detection of the vulnerability within our AlienVault USM Anywhere product, where we observe that a new ‘Webserver attack – Code Execution’ alarm has been triggered indicating a successful attack:
This alarm is the result of two events being correlated:
- The first event detects the exploitation of CVE-2017-5638 against a Tomcat webserver using a vulnerable version of Apache Struts.
- The second event that triggered the alarm is detecting an ELF executable being downloaded from the same host after the exploit has been successful.
We will be monitoring this activity and will update this blog post if we discover new information.