The AlienVault Blogs
Taking On Today’s Threats
March 14, 2017

Apache Struts Vulnerability Being Exploited by Attackers

Last week a new vulnerability affecting Apache Struts was reported (CVE-2017-5638) that affects the Apache Struts Jakarta Multipart parser. The vulnerability allows an unauthenticated attacker to execute code in the affected system by creating a specially crafted Content-Type HTTP header.

Starting last Thursday (March 9, 2017), we have seen a high number of attackers trying to exploit this vulnerability. Different payloads have been observed, with some examples as follows:

AlienVault seeing attackers exploiting CVE-2017-5638 in the wild

proof of exploitation in the wild of CVE-2017-5638

As of today, using the telemetry we received from the AlienVault Open Threat Exchange (OTX), we have identified more than 400 unique sources that are attempting to exploit this vulnerability.

telemetry from OTX used to find sources exploiting Apache Struts vuln

Indicators of Compromise

To address this threat, the AlienVault Labs team has created a Pulse in the Open Threat Exchange (OTX) with the collection of payloads that are being delivered.



Since this vulnerability is being actively exploited in the wild, our recommendation is to upgrade your Apache Struts version as soon as possible.

The vulnerable versions of Apache Struts are:

  • Struts 2.3.5 - Struts 2.3.31
  • Struts 2.5 - Struts 2.5.10

Upgrading to the following versions resolves the vulnerability:

For more information, you can check Apache’s documentation HERE.

AlienVault Coverage

AlienVault has released multiple signatures to detect attempts to exploit this vulnerability, which can be found in both our AlienVault USM Appliance and AlienVault USM Anywhere products.

The following example shows a successful detection of the vulnerability within our AlienVault USM Anywhere product, where we observe that a new ‘Webserver attack – Code Execution’ alarm has been triggered indicating a successful attack:

AlienVault USM correlates events to alarm when vulnerability being exploited

This alarm is the result of two events being correlated:

  • The first event detects the exploitation of CVE-2017-5638 against a Tomcat webserver using a vulnerable version of Apache Struts.

• The first event detects the exploitation of CVE-2017-5638 against a Tomcat webserver using a vulnerable version of Apache Struts

  • The second event that triggered the alarm is detecting an ELF executable being downloaded from the same host after the exploit has been successful.

Event correlation in USM to alarm on Struts exploit

We will be monitoring this activity and will update this blog post if we discover new information.


How to Detect and Investigate Brute Force Attacks with AlienVault USM Anywhere

A brute force attack is one of the more common types of attack that malicious actors use to try and gain access to your IT servers, applications and data. These attacks are relatively simple for attackers to implement and they can wreak havoc on your organization when successful. However, many IT security teams may not be aware that they are at risk from these attacks, or what to do about them.

Watch it now ›

Get the latest
security news in
your inbox.

Subscribe via Email

Labs Research
Security Essentials
All Blogs

Gartner MQ

Featured Content