A critical remote code execution vulnerability has been patched in the popular Java web application framework Apache Struts. The vulnerability is being actively exploited in the wild. Organizations using Apache Struts to build Java web applications should update to the patched version immediately to mitigate the risk of exploitation.
Vulnerable versions of Apache Struts include 2.3.5 to 2.3.21 and 2.5 to 2.5.10. Updating to the newest versions of Apache Struts will remove the vulnerability.
The vulnerability, which was first discovered by researchers at Cisco, occurs because of a flaw in the Jakarta Multipart parser. By uploading a file with a malicious Content-Type, attackers can execute their own code on the server. Attackers can execute system commands with the same privileges as the web server, making it an especially dangerous attack if those web servers are being run with root privileges, which is discouraged but not uncommon.
Attackers don’t need to be authenticated to carry out this attack and it’s relatively straightforward to implement, which means attackers with limited technical knowledge may be able to successfully execute remote code and compromise Apache Struts servers.
Proof-of-concept code for the attack is in the public domain, and a Metasploit module has been published. Because the attacks look like an ordinary request to the web server, it can be difficult to determine whether an attack has occurred. The only way to be sure that your web application servers aren’t vulnerable is to update to a patched version of Apache Struts.
Security experts have warned that the vulnerability poses a serious risk to companies that neglect to update to the patched version. Because attackers can execute arbitrary code on compromised servers, they may be able to upload malicious binaries and push them to other servers in the same network. There’s also scope for advanced persistent threats in which attackers use the Apache Struts vulnerability to create a beachhead from which they can move deeper into the network.
Researchers from Cisco Talos have observed multiple instances of the vulnerability being exploited on corporate servers.
Of particular concern is the use of Apache Struts on Internet of Things devices. Such devices are rarely promptly updated, so it’s likely the vulnerability will be a problems for some time to come.
Although Future Hosting doesn’t offer managed Apache Struts hosting, we do support a number of Java web application hosting environments, including Glassfish, Tomcat, and JBoss. We’d like to make sure that everyone who uses Apache Struts on our VPS and dedicated server hosting options is aware of the vulnerability in Apache Struts and takes the necessary steps to update to a patched version.