Apache Struts Makes a Comeback

Apache Struts is back in the news with another critical Remote Code Execution vulnerability affecting many of the newer versions of their software including Struts versions 2.3.5 – 2.3.31 and Struts 2.5-2.5.10. The vulnerability (CVE-2017-5638) and patch were released to the public on Monday; however attack probes and exploitation were detected before the official proof of concept exploit was released. Since release, the scanning activity by bad actors looking for exposed or vulnerable servers has picked up exponentially. The vulnerability itself affects the Jakarta multipart parser and Apache’s own OGNL, - Object Graph Navigation Library - which is an expression language used for setting and getting properties of Java objects.

This vulnerability can be exploited when an attacker sends a specially crafted request to the multi-part Jakarta upload parser with malicious code passed in the Content-Type header. The vulnerability is triggered due to a locally saved error message or error key that’s passed in a variable and evaluated after the data is passed to the multi-part form request. At the moment, several exploits are available online for testing. The Metasploit Framework has also released an exploit module.

Alert Logic Threat Intel, working with other industry intel teams – has identified 240 different source IP’s to date associated with this exploit, with the majority originating in China.  2 prominent IP’s - sourced by Cisco & Recorded Futures – are associated with this exploit:

- 61.135.175.14
- 182.111.58.151

Mitigation Recommendations:

  1. Verify Struts version running in your code bases:  versions 2.3.5 – 2.3.31 and Struts 2.5-2.5.10 are vulnerable.
  2. Upgrade per Apache: If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1. You can also switch to a different implementation of the Multipart parser.
  3. Workaround alternative:  Implement a Servlet filter which will validate Content-Type and throw away request with suspicious values not matching multipart/form-data. https://cwiki.apache.org/confluence/display/WW/S2-045
  4. Ensure your detection and prevention systems have coverage for this vulnerability and exploit and are configured to protect your Apache systems.

Alert Logic Coverage

Alert Logic has evaluated its customer base for exposure to the exploit and has developed signatures and configuration steps for mitigating the threat depending on the security service in place. 

Web Security Manager Premier

  • For immediate blocking protection, customers using Alert Logic’s inline WAF (Web Security Manager Premier) can reach out by phone or email to Alert Logic to load the new header validation signature or header enforcement configuration steps.

Threat Manager

  • Vulnerability scanning has been updated to identify this Apache vulnerability.
  • Network based IDS has been updated with the latest signatures.

Cloud Defender

  • Network based IDS has been updated with the latest signatures.
  • Vulnerability scanning has been updated to identify this Apache vulnerability.
  • For immediate exploit detection, customers using Alert Logic’s out-of-band WAF can reach out by phone or email to Alert Logic to add a header validation signature.

View the Apache Struts CVE-2017-5638 article on the Alert Logic Knowledgebase.

About the Author

Joseph Hitchcock - Technical Security Evangelist

Joseph Hitchcock

Joe Hitchcock is passionate when it comes to system and network security. Initially self-taught, he started working as an independent contractor for small businesses doing malware removal and perimeter security. He started at Alert Logic in 2011 as a Network Security Analyst analyzing threat traffic and other attacks. Afterwards, he worked in Security Research and eventually became one of the first Analysts to work on the Web Security team supporting Web Security Manager WAF. He was eventually promoted to a Senior Web Security Analyst where his job included building custom security policies, researching new web attacks and adding custom signatures to better WSM detection.

Email Me | More Posts by Joseph Hitchcock