Apache Struts Vulnerability Being Exploited by Attackers

March 14, 2017 | Jaime Blasco

Last week a new vulnerability affecting Apache Struts was reported (CVE-2017-5638) that affects the Apache Struts Jakarta Multipart parser. The vulnerability allows an unauthenticated attacker to execute code in the affected system by creating a specially crafted Content-Type HTTP header.

Starting last Thursday (March 9, 2017), we have seen a high number of attackers trying to exploit this vulnerability. Different payloads have been observed, with some examples as follows:

AlienVault seeing attackers exploiting CVE-2017-5638 in the wild

proof of exploitation in the wild of CVE-2017-5638

As of today, using the telemetry we received from the AlienVault Open Threat Exchange (OTX), we have identified more than 400 unique sources that are attempting to exploit this vulnerability.

telemetry from OTX used to find sources exploiting Apache Struts vuln

Indicators of Compromise

To address this threat, the AlienVault Labs team has created a Pulse in the Open Threat Exchange (OTX) with the collection of payloads that are being delivered.



Since this vulnerability is being actively exploited in the wild, our recommendation is to upgrade your Apache Struts version as soon as possible.

The vulnerable versions of Apache Struts are:

  • Struts 2.3.5 - Struts 2.3.31
  • Struts 2.5 - Struts 2.5.10

Upgrading to the following versions resolves the vulnerability:

For more information, you can check Apache’s documentation HERE.

AlienVault Coverage

AlienVault has released multiple signatures to detect attempts to exploit this vulnerability, which can be found in both our AlienVault USM Appliance and AlienVault USM Anywhere products.

The following example shows a successful detection of the vulnerability within our AlienVault USM Anywhere product, where we observe that a new ‘Webserver attack – Code Execution’ alarm has been triggered indicating a successful attack:

AlienVault USM correlates events to alarm when vulnerability being exploited

This alarm is the result of two events being correlated:

  • The first event detects the exploitation of CVE-2017-5638 against a Tomcat webserver using a vulnerable version of Apache Struts.

•	The first event detects the exploitation of CVE-2017-5638 against a Tomcat webserver using a vulnerable version of Apache Struts

  • The second event that triggered the alarm is detecting an ELF executable being downloaded from the same host after the exploit has been successful.

Event correlation in USM to alarm on Struts exploit

We will be monitoring this activity and will update this blog post if we discover new information.

Jaime Blasco

About the Author: Jaime Blasco

Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AT&T Cybersecurity, Jaime leads the Alien Labs Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AT&T, Jaime was Chief Scientest at AlienVault. Prior to that, he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.

Read more posts from Jaime Blasco ›


Get the latest security news in your inbox.

Subscribe via Email

Watch a Demo ›
Get Price Free Trial