Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache Servers Under Attack Through Easily Exploitable Struts 2 Flaw (helpnetsecurity.com)

Posted by BeauHD on from the no-authentication-required dept.

Orome1 quotes a report from Help Net Security: A critical vulnerability in Apache Struts 2 is being actively and heavily exploited, even though the patch for it has been released on Monday. The vulnerability (CVE-2017-5638) affects the Jakarta file upload Multipart parser in Apache Struts 2. It allows attackers to include code in the "Content-Type" header of an HTTP request, so that it is executed by the web server. Almost concurrently with the release of the security update that plugs the hole, a Metasploit module for targeting it has been made available. Unfortunately, the vulnerability can be easily exploited as it requires no authentication, and two very reliable exploits have already been published online. Also, vulnerable servers are easy to discover through simple web scanning. "Struts 2 is a Java framework that is commonly used by Java-based web applications," reports SANS ISC in their blog. "It is also known as 'Jakarta Struts' and 'Apache Struts.' The Apache project currently maintains Struts." Cisco Talos also has a blog detailing the attack.

32 of 63 comments (clear)

  1. Re: FP! by Anonymous Coward · · Score: 2, Insightful

    Whoever chose struts 2 back then probably deserve it

  2. Re: FP! by Anonymous Coward · · Score: 4, Insightful

    Whoever chose struts 2 back then probably deserve it

    Maybe not for the 6 months in which it was relevant, but for the 13[1] years where all java sweatshops kept on using that piece of shit yes, they deserve it.

    [1]not a precise number

  3. uh by Anonymous Coward · · Score: 1

    when did apache become something else than a webserver?

    1. Re:uh by RabidReindeer · · Score: 2

      Apache HTTPD - more commonly known as simply "Apache" is the flagship product of the Apache Foundation.

      But they took over the Tomcat J2EE server and spread out into an entire Java domain - "Jakarta".

      Jakarta Tomcat is now known as Apache Tomcat, however, and most of the other jakarta projects have been made into "apache" projects.

      And yes, as a Tomcat support person, I do find it annoying that clueless people will ask me questions about "apache" and the first thing I have do do is figure out which Apache they are talking about. Especially since it's very common for Apache HTTPD to reverse proxy one or more Apache Tomcat servers and they may be referring to both as though it was one product.

    2. Re:uh by reginaldo · · Score: 1

      Apache has Kafka, among others. But honestly Kafka is all we need now.

    3. Re:uh by quetwo · · Score: 1

      Apache has over 300 projects now that they maintain. Tomcat, Jetty, Open Office, Flex, Cordova, ANT, CouchDB, Maven, Luceen, etc. are all Apache projects that are some of the more popular open-source projects out there. They started accepting projects in addition to httpd in the late 90's.

    4. Re:uh by Eravnrekaree · · Score: 1

      Kafka claims to be a streaming platform, and Struts claims to be an MVC framework. So, they serve different domains it would seem.

    5. Re:uh by Coisiche · · Score: 1

      the first thing I have do do is figure out which Apache they are talking about

      Reminds me of IBM Tivoli which has a host of unrelated things under one umbrella

      Other: "You do Tivoli, right?"

      Me: "Tivoli Monitoring, to be precise. Well, only ITM6 really, which is just rebadged Candle after they bought Candle out. I don't know much about previous versions."

      Other: "Whatever. There's this backup issue..."

      Me. "I think you'll find that's Tivoli Storage Manager. A completely unrelated product that I've never worked with."

    6. Re:uh by rbowen · · Score: 1

      The Apache Software Foundation is now more than 300 projects. See https://projects.apache.org/

      --
      Apache guy, Open Source enthusiast, runner
    7. Re:uh by RabidReindeer · · Score: 1

      I thought that was supposed to be WebSphere.

  4. 1999 was Apache Tomcat. Maybe earlier by raymorris · · Score: 4, Insightful

    In 1999 the Apache Foundation got Tomcat, given to them by Sun. That may have been Apache's first project other than httpd.

    What annoys me is that people I work with call all of the 50 or so different projects "Apache", without further specification. I'm well-versed in the Apache httpd code, I've contributed patches and I know configuration tricks and such. So when someone says "I'm having trouble with Apache" I go over to help, only to discover they're working on some Java thing.

    1. Re:1999 was Apache Tomcat. Maybe earlier by DrXym · · Score: 3, Funny

      I'm having trouble opening an MS Word document in Apache. The paragraphs are indented wrong and some diagrams are missing. Can you help?

  5. Last link in the summary includes Windows payload by raymorris · · Score: 2

    The last link in the summary (Cisco Talos) includes a Windows payload.

  6. Click-bait headlines by Anonymous Coward · · Score: 4, Insightful

    Seriously, the last thing I think of when someone says Apache Servers is Struts, Tomcat, Java or anything else but Apache HTTPD.

    Saying that "Apache Servers" are under "attack" and being exploited through a "Struts 2" flow is misleading to most of the world who does not know or care about Struts and just runs plain-jane websites.

  7. Wrong language! by Anonymous Coward · · Score: 1

    Had they used a good, strongly typed language like Java, instead of crappy C, this wouldn't have happened!

    Oh, wait...

  8. This is not Apache Server issue - just Struts 2! by kiviQr · · Score: 4, Informative

    This is not Apache Server issue. It is Struts 2 (that is under Apache umbrella) .

  9. Re: FP! by Eravnrekaree · · Score: 1

    What would you recommend instead?

  10. Re: FP! by snookiex · · Score: 1

    I acknowledge that it's not for everyone, but I'm really enjoying Vaadin right now.

    --
    Open Source Network Inventory for the masses! Kuwaiba
  11. Re: FP! by TheNarrator · · Score: 1

    I looked at struts2 back in my enterprise java days. There was way too much automagic driven by rails envy where it was doing very dynamic things magically based on the request. Lots of stuff where the request would become a very complex java object that would interact with automagic libraries to do dangerous things and you just had to trust their weren't any exploits. I decided to use json servlets and single page web app frameworks instead.

  12. perspective by luis_a_espinal · · Score: 1

    Whoever chose struts 2 back then probably deserve it

    Maybe not for the 6 months in which it was relevant, but for the 13[1] years where all java sweatshops kept on using that piece of shit yes, they deserve it.

    [1]not a precise number

    Struts 2 is fine. It works fine. It with JSP/JSTL is all you ever need in the general case. Everything else is sugar (except few problem domains where you truly need something new.) I like Vaadim and Stripes, but I've seen enough sites VERY WELL built with plain old Struts and JPS/JSTL to know it is the wielder, not the tool.)

    If you have a decently built system that runs well on Struts, why change it? Just to try something new? That's not engineering, that's playing on someone else's dime.

    Every damned software worth a damn has experienced a critical security bug. This is no different. And a solution is already available (patch it.)

    Moreover, the exploit is only significant if you are not running your containers and httpd servers with least privileges (as nobody and/or chroot jailed/dockerized, with a user that has no login access, etc.)

    Do that and your chances of getting 0-exploited drop dramatically regardless of what software you use.

    1. Re: perspective by luis_a_espinal · · Score: 1

      dude.... you are confusing Struts and Struts 2. They have nothing in common but the name.

      No, I just never cared to call them Struts and Struts 2. Both are fine, having worked on them both. I can see why why my lazy wording would confuse people, though.

    2. Re: perspective by luis_a_espinal · · Score: 1

      Struts was the only thing available for a long time back in the dark ages of J2EE. So a lot of smart people were drawn into doing stupid things because that was the only thing available.

      By the time Struts 2 came about it was about the time most smart people realised how stupid the whole J2EE thing was and abandoned it and starting trying out better things. Most stupid people went on to Struts 2.

      That's an axiomatic, self-fulfilling statement. Congratulations.

    3. Re: perspective by luis_a_espinal · · Score: 1

      I think you just admitted you fall under the "you deserve it" and "stupid people" categories as pointed out by the various posters above.

      I'll say yes to that if it makes you feel... I dunno, accomplished? Sure, go for it, you win.

  13. Re: FP! by Eravnrekaree · · Score: 1

    As long as it is clearly documented what it will do, and you know what precisely what it will having it automatically do things isnt necessarily bad, can save time, as long as finer grain control is allowed. If it is poorly documented and does unexpected things, this is pretty bad. Allowing a system command to be run is a pretty nasty undocumented automatic behaviour.

  14. Re:Java Crap ... again! by Eravnrekaree · · Score: 1

    What do you recommend? C/C++ programs facing the internet? I dont think there exists many large C/C++ programs that have not had severe buffer overflows. PHP/Perl/Ruby etc with their automatic memory management are relatively safe by comparison.

  15. Re:Raspberry Pi? by DrXym · · Score: 1

    If you run Struts 2 on them then yes.

  16. PHP has massively improved by raymorris · · Score: 1

    I used to talk like that about PHP. PHP has greatly improved over the years.

  17. Re: FP! by snookiex · · Score: 1

    What are you talking about? Vaadin was published in 2002 and Struts 2 came out in 2005. Besides, I'm just saying that Vaadin is an option, that's all.

    --
    Open Source Network Inventory for the masses! Kuwaiba
  18. Struts2 idiocy. by prunus.avium · · Score: 3, Insightful

    This is a lesson in sanitizing inputs.

    What happens is that the OGNL interpreter can get started with the HTTP headers as the input. Sepcifically the "Content-Type" header.

    Why anyone thought that using a full on interpreter to parse a string attribute was a good idea is beyond me.

    1. Re:Struts2 idiocy. by Cobron · · Score: 1

      Sorry, I have no mod points to spend because you're dead on.
      In fact, I'm getting a bit sick of all the frameworks trying to be as "dynamic" as possible with the wildcards and the matching and the auto-classpath-scanning and the watnot... Initial POCs are always easy but once the application grows it seems the complexity too, just because of all the "cool" knobs and dials you can tweak.
      ps: It seems ANY java web server on which struts 2 can run is impacted, the connotation with Tomcat is already far fetched, making it with the http server is just laughable. The problem seems to lie with struts and struts alone.

  19. Post should be fixed for unwitting httpd users by mdz0 · · Score: 1

    Ugh, this is misleading enough that the post should probably be corrected - how many Apache HTTPD users are having fits trying to figure out how to fix this "vulnerability" ??

  20. Better than moldy coffee grounds and Balmer's hole by raymorris · · Score: 1

    Yes, it's now slightly less stinky than something that resembles moldy coffee grounds left in the coffee maker over the holidays, or Balmer's ass hole.

    It seems all programming languages suck. C, after decades of careful revision, is well suited to certain tasks, but not the tasks that most of us do most of the time.