Apache Servers Under Attack Through Easily Exploitable Struts 2 Flaw

Orome1 quotes a report from Help Net Security: A critical vulnerability in Apache Struts 2 is being actively and heavily exploited, even though the patch for it has been released on Monday. The vulnerability (CVE-2017-5638) affects the Jakarta file upload Multipart parser in Apache Struts 2. It allows attackers to include code in the "Content-Type" header of an HTTP request, so that it is executed by the web server. Almost concurrently with the release of the security update that plugs the hole, a Metasploit module for targeting it has been made available. Unfortunately, the vulnerability can be easily exploited as it requires no authentication, and two very reliable exploits have already been published online. Also, vulnerable servers are easy to discover through simple web scanning. "Struts 2 is a Java framework that is commonly used by Java-based web applications," reports SANS ISC in their blog. "It is also known as 'Jakarta Struts' and 'Apache Struts.' The Apache project currently maintains Struts." Cisco Talos also has a blog detailing the attack.

FP!

At last!

Re: FP!

Whoever chose struts 2 back then probably deserve it

Re: FP!

Whoever chose struts 2 back then probably deserve it

Maybe not for the 6 months in which it was relevant, but for the 13[1] years where all java sweatshops kept on using that piece of shit yes, they deserve it.

[1]not a precise number

Re: FP!

[Eravnrekaree]

What would you recommend instead?

Re: FP!

[snookiex]

I acknowledge that it's not for everyone, but I'm really enjoying Vaadin right now.

Re: FP!

[TheNarrator]

I looked at struts2 back in my enterprise java days. There was way too much automagic driven by rails envy where it was doing very dynamic things magically based on the request. Lots of stuff where the request would become a very complex java object that would interact with automagic libraries to do dangerous things and you just had to trust their weren't any exploits. I decided to use json servlets and single page web app frameworks instead.

Re:FP!

#cmd !!!! Why would that be in an outside facing interface!!!
This isn't a bug or an exploit - it the stupidist backdoor ever!

CAP === I'm 'numbed'

Re: FP!

[Eravnrekaree]

As long as it is clearly documented what it will do, and you know what precisely what it will having it automatically do things isnt necessarily bad, can save time, as long as finer grain control is allowed. If it is poorly documented and does unexpected things, this is pretty bad. Allowing a system command to be run is a pretty nasty undocumented automatic behaviour.

Re: FP!

Back then Spring MVC was already available. It survived much better because they kept things simple.

Re: FP!

Vaadin came out much later than struts 2 so you can't say they deserve it for not choosing Vaadin.

Re: FP!

Back then even staying on struts 1 was smarter than going with struts 2 which is a completely different framework and not a version upgrade.

People blindly jumped on Struts 2 because there was a time where everyone used Struts 1. Because.... hey who would want to have an iPhone 6 when an iPhone 7 is already out? It's so passe!

Re: FP!

Well struts 2 is stupid and for the stupid so.... yeah that explains

Re: FP!

[snookiex]

What are you talking about? Vaadin was published in 2002 and Struts 2 came out in 2005. Besides, I'm just saying that Vaadin is an option, that's all.

Re: FP!

Vaadin wasn't known as Vaadin back then and really was not that popular until post 2009 or even later.

And no Millstone and IT Mills toolkit (Vaadin's old name) are not serious contenders when Struts 2 came out.

Considering Struts 2 came out with lots of hype and went out of favour very very quickly, I would say the peak of Struts 2 hype did not overlap with when Vaadin started getting popular.

Ok... unless you are talking about really really really stupid people who still chose Struts 2 after 2010. I think it's an insult to stupid people if you're comparing them to these incorrigible idiots.

Re: FP!

You precisely said "came out". You are just changing words to make it sounds like you were correct all along when you were not. Typical selfish moron

uh

when did apache become something else than a webserver?

Re:uh

[RabidReindeer]

Apache HTTPD - more commonly known as simply "Apache" is the flagship product of the Apache Foundation.

But they took over the Tomcat J2EE server and spread out into an entire Java domain - "Jakarta".

Jakarta Tomcat is now known as Apache Tomcat, however, and most of the other jakarta projects have been made into "apache" projects.

And yes, as a Tomcat support person, I do find it annoying that clueless people will ask me questions about "apache" and the first thing I have do do is figure out which Apache they are talking about. Especially since it's very common for Apache HTTPD to reverse proxy one or more Apache Tomcat servers and they may be referring to both as though it was one product.

Re:uh

[reginaldo]

Apache has Kafka, among others. But honestly Kafka is all we need now.

Re:uh

[quetwo]

Apache has over 300 projects now that they maintain. Tomcat, Jetty, Open Office, Flex, Cordova, ANT, CouchDB, Maven, Luceen, etc. are all Apache projects that are some of the more popular open-source projects out there. They started accepting projects in addition to httpd in the late 90's.

Re:uh

[Eravnrekaree]

Kafka claims to be a streaming platform, and Struts claims to be an MVC framework. So, they serve different domains it would seem.

Re:uh

[Coisiche]

the first thing I have do do is figure out which Apache they are talking about

Reminds me of IBM Tivoli which has a host of unrelated things under one umbrella

Other: "You do Tivoli, right?"

Me: "Tivoli Monitoring, to be precise. Well, only ITM6 really, which is just rebadged Candle after they bought Candle out. I don't know much about previous versions."

Other: "Whatever. There's this backup issue..."

Me. "I think you'll find that's Tivoli Storage Manager. A completely unrelated product that I've never worked with."

Re:uh

[rbowen]

The Apache Software Foundation is now more than 300 projects. See https://projects.apache.org/

Re:uh

[RabidReindeer]

I thought that was supposed to be WebSphere.

1999 was Apache Tomcat. Maybe earlier

[raymorris]

In 1999 the Apache Foundation got Tomcat, given to them by Sun. That may have been Apache's first project other than httpd.

What annoys me is that people I work with call all of the 50 or so different projects "Apache", without further specification. I'm well-versed in the Apache httpd code, I've contributed patches and I know configuration tricks and such. So when someone says "I'm having trouble with Apache" I go over to help, only to discover they're working on some Java thing.

Re:1999 was Apache Tomcat. Maybe earlier

[DrXym]

I'm having trouble opening an MS Word document in Apache. The paragraphs are indented wrong and some diagrams are missing. Can you help?

Re:1999 was Apache Tomcat. Maybe earlier

Yes, I can help. You can easily fix up all your MS Word formatting issues by highlighting the file and pressing the Del key.

You will have no more problems with improper indentation and all the diagrams will be as visible as the text.
It even works well for formatting other MS file types.

Re:1999 was Apache Tomcat. Maybe earlier

Every day, I try as hard as possible to work toward a future in which we no longer need to run Tomcat on our servers.

Re:1999 was Apache Tomcat. Maybe earlier

This.

Also, there are way more than 50 projects: http://apache.org/index.html#projects-list

What about on Windows?

Exploit demos are all for Linux

Last link in the summary includes Windows payload

[raymorris]

The last link in the summary (Cisco Talos) includes a Windows payload.

Click-bait headlines

Seriously, the last thing I think of when someone says Apache Servers is Struts, Tomcat, Java or anything else but Apache HTTPD.

Saying that "Apache Servers" are under "attack" and being exploited through a "Struts 2" flow is misleading to most of the world who does not know or care about Struts and just runs plain-jane websites.

Re:Click-bait headlines

I usually think of Apache httpd and what you run as a reverse proxy in front of apache tomcat for SSL!

Re:Click-bait headlines

Yes this headline is complete bullshit. Fuck Orome1 and BeauHD and the horses they rode in on. This submission needs to be marked as spam and removed. Look at the history of this submitter. Pattern detected.

Wrong language!

Had they used a good, strongly typed language like Java, instead of crappy C, this wouldn't have happened!

Oh, wait...

This is not Apache Server issue - just Struts 2!

[kiviQr]

This is not Apache Server issue. It is Struts 2 (that is under Apache umbrella) .

Raspberry Pi?

Does this affect my Raspberry PIs? I have 3 of them. Kthxby

Re:Raspberry Pi?

[DrXym]

If you run Struts 2 on them then yes.

perspective

[luis_a_espinal]

Whoever chose struts 2 back then probably deserve it

Maybe not for the 6 months in which it was relevant, but for the 13[1] years where all java sweatshops kept on using that piece of shit yes, they deserve it.

[1]not a precise number

Struts 2 is fine. It works fine. It with JSP/JSTL is all you ever need in the general case. Everything else is sugar (except few problem domains where you truly need something new.) I like Vaadim and Stripes, but I've seen enough sites VERY WELL built with plain old Struts and JPS/JSTL to know it is the wielder, not the tool.)

If you have a decently built system that runs well on Struts, why change it? Just to try something new? That's not engineering, that's playing on someone else's dime.

Every damned software worth a damn has experienced a critical security bug. This is no different. And a solution is already available (patch it.)

Moreover, the exploit is only significant if you are not running your containers and httpd servers with least privileges (as nobody and/or chroot jailed/dockerized, with a user that has no login access, etc.)

Do that and your chances of getting 0-exploited drop dramatically regardless of what software you use.

Re: perspective

dude.... you are confusing Struts and Struts 2. They have nothing in common but the name.

Re: perspective

Struts was the only thing available for a long time back in the dark ages of J2EE. So a lot of smart people were drawn into doing stupid things because that was the only thing available.

By the time Struts 2 came about it was about the time most smart people realised how stupid the whole J2EE thing was and abandoned it and starting trying out better things. Most stupid people went on to Struts 2.

Re: perspective

[luis_a_espinal]

dude.... you are confusing Struts and Struts 2. They have nothing in common but the name.

No, I just never cared to call them Struts and Struts 2. Both are fine, having worked on them both. I can see why why my lazy wording would confuse people, though.

Re: perspective

[luis_a_espinal]

Struts was the only thing available for a long time back in the dark ages of J2EE. So a lot of smart people were drawn into doing stupid things because that was the only thing available.

By the time Struts 2 came about it was about the time most smart people realised how stupid the whole J2EE thing was and abandoned it and starting trying out better things. Most stupid people went on to Struts 2.

That's an axiomatic, self-fulfilling statement. Congratulations.

Re: perspective

I think you just admitted you fall under the "you deserve it" and "stupid people" categories as pointed out by the various posters above.

Re: perspective

[luis_a_espinal]

I think you just admitted you fall under the "you deserve it" and "stupid people" categories as pointed out by the various posters above.

I'll say yes to that if it makes you feel... I dunno, accomplished? Sure, go for it, you win.

Re: perspective

Woohoo!

Java strikes again

Java is like a plague that just won't go away

Re: Java strikes again

For a good reason. But anti java fanbois like you would never listen.

Why does it matter to you. Don't like it don't use it. Why all the hate?

Don't like iPhones? Don't buy it. Why shit on all your friends who have iPhones?

Big fucking deal.

Re: Java strikes again

Hello, JJ. Java Jealot

Java Crap ... again!

Why anyone would use java outside an Intranet is beyond me.
That's like allowing php to be on the internet - crazy.

Folks, use VPNs if you need this stuff for your company. Same applies to php. Use a VPN, especially for something like owncloud or nextcloud which appear to be all the rage these days.

Re:Java Crap ... again!

[Eravnrekaree]

What do you recommend? C/C++ programs facing the internet? I dont think there exists many large C/C++ programs that have not had severe buffer overflows. PHP/Perl/Ruby etc with their automatic memory management are relatively safe by comparison.

Re:Java Crap ... again!

Um, you are aware that Apache httpd, the most popular web server on the internet, is mostly c right? Also, the platforms it runs on are mostly written in c (Linux, BSDs ...)

How about Bind?

So, you were saying?

You really have no clue what you are talking about do you? What they taught you in school is wrong. Very wrong.

PHP has massively improved

[raymorris]

I used to talk like that about PHP. PHP has greatly improved over the years.

Re:PHP has massively improved

PHP: it sucks less now!(TM)(R)

PHP: not as bad as VB6!(TM)(R)

Re:PHP has massively improved

So it's just now only a slightly smelly pile of horse shit?

Re:PHP has massively improved

At least PHP doesn't require 64 GB of RAM to serve 5 concurrent visitors. Tomcat on the other hand, holy Christ I pray I never have to touch that again.

Struts2 idiocy.

[prunus.avium]

This is a lesson in sanitizing inputs.

What happens is that the OGNL interpreter can get started with the HTTP headers as the input. Sepcifically the "Content-Type" header.

Why anyone thought that using a full on interpreter to parse a string attribute was a good idea is beyond me.

Re:Struts2 idiocy.

[Cobron]

Sorry, I have no mod points to spend because you're dead on.
In fact, I'm getting a bit sick of all the frameworks trying to be as "dynamic" as possible with the wildcards and the matching and the auto-classpath-scanning and the watnot... Initial POCs are always easy but once the application grows it seems the complexity too, just because of all the "cool" knobs and dials you can tweak.
ps: It seems ANY java web server on which struts 2 can run is impacted, the connotation with Tomcat is already far fetched, making it with the http server is just laughable. The problem seems to lie with struts and struts alone.

spin doctor

Imagine my disappointment when I discover that no one has yet to explain how this is Microsoft's fault. Perhaps, this is a closed source problem? Evil corporation? Shit man, won't someone enlighten me.

Post should be fixed for unwitting httpd users

[mdz0]

Ugh, this is misleading enough that the post should probably be corrected - how many Apache HTTPD users are having fits trying to figure out how to fix this "vulnerability" ??

Highly misleading headline

The headline of this post is highly misleading.

Yes, it it present in one of the referenced sources, but it should have been adjusted before being submitted to Slashdot.

The security issue has nothing to do with the Apache (httpd) Server. It is specific to Apache Struts 2, which can be used with many different web servers.

The submitter and whoever let the submission be published should be ashamed. You should correct it, and then you should refrain from posting recklessly in the future.

Please.

Thank you.

(Yes, I know that I am being naive and that it will never happen. I thought I should try, anyway.)

Stuts != Struts 2

ITT: Dumb asses confusing Struts with Struts 2.

Better than moldy coffee grounds and Balmer's hole

[raymorris]

Yes, it's now slightly less stinky than something that resembles moldy coffee grounds left in the coffee maker over the holidays, or Balmer's ass hole.

It seems all programming languages suck. C, after decades of careful revision, is well suited to certain tasks, but not the tasks that most of us do most of the time.

Vs. exploits using this flaw

This can stall their C&C communique APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads/script & malware rob speed/security/privacy

Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!

Avoids DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + lightens DNS load & resolves faster from local system RAM!

* Via what u NATIVELY have built into the IP stack in FASTER kernelmode!

APK

P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/