A new vulnerability has been spotted in Apache’s Struts open-source project that has been spotted active in the wild allowing remote code execution.
A warning issued by Apache.org stated that CVE-2017-5638 makes it possible to perform a remote code execution when performing file upload with its Jakarta Multipart parser in Apache Struts. The affected versions are Struts 2.3.5 – Struts 2.3.31, Struts 2.5 – Struts 2.5.10.
“It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user,” Apache.org said.
Cisco Talos researcher Nick Biasini said the vulnerability is being exploited.
“Talos began investigating for exploitation attempts and found a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands (i.e. whoami) as well as more sophisticated commands including pulling down a malicious ELF executable and execution,” he wrote.
These are several of the many examples of attacks we are currently observing and blocking.
Apache recommends that users of Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 188.8.131.52 and to switch to a different implementation of the Multipart parser. The organization also recommended a workaround.
“Implement a Servlet filter which will validate Content-Type and throw away request with suspicious values not matching multipart/form-data,” it wrote.
Struts is an open source project of the Apache Foundation Jakarta project team, which uses MVC mode to help Java developers use J2EE to develop Web applications, according to Qualys’ Mandar Jadhav.