Cisco Talos and Apache have issued warnings to their users following the revelation of a new Apache Struts vulnerability that has been actively exploited in recent days. Cisco Talos researchers recently identified the ‘zero-day’ vulnerability in the Java application framework was recently, and it has been confirmed that a constant stream of attacks have been happening over the last few days.
According to Apache’s statement of earlier this week, the newly identified Apache Struts vulnerability, referred to as CVE-2017-5638, is found in the Jakarta Multipart parser. The weakness can potentially be exploited by an RCE attack using a malicious Content-Type value. In the statement, Apache advised its users that “If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user.” The attacks have been carried out by employing a publicly published proof-of-concept.
According to Cisco Talos, its researchers have observed 2 forms of attack, the first probes in order to find out whether the vulnerability is present by performing a Simple Linux command. If the vulnerability is successfully detected, data is gathered about the vulnerable system, e.g. the performance of an ipconfig to attain the network configuration.
The 2nd form of attack concerns the installation of malware. According to Cisco, the forms of malware being installed are extremely diverse. Cisco indicates that certain users have experienced the disabling of both the Linux and SUSE Linux firewalls by the attackers and malware has subsequently been downloaded and installed in a manner to ensure persistence.
Cisco Talos has reported that the attacks on vulnerable systems started almost instantly following the publication of the proof-of-concept. The rate of attacks has been stead ever since. If vulnerable systems are not patched, the Apache Struts vulnerability will in all probability continue to be exploited by attackers.
Some versions of Apache Struts, i.e. versions 2.3.32 / 18.104.22.168 and other more recent versions are not, however, vulnerable to attack. Apache has strongly recommended that users of older, vulnerable versions should upgrade as soon as possible.
If this proves to be problematic, there is an alternative. Users are advised to switch from the Jakarta based file upload Multipart parser in favour of the Pell parser plugin, which doesn’t employ the Common-FileUpload library.