Apache Servers Under Attack Through Easily Exploitable Struts 2 Flaw

Orome1 quotes a report from Help Net Security: A critical vulnerability in Apache Struts 2 is being actively and heavily exploited, even though the patch for it has been released on Monday. The vulnerability (CVE-2017-5638) affects the Jakarta file upload Multipart parser in Apache Struts 2. It allows attackers to include code in the "Content-Type" header of an HTTP request, so that it is executed by the web server. Almost concurrently with the release of the security update that plugs the hole, a Metasploit module for targeting it has been made available. Unfortunately, the vulnerability can be easily exploited as it requires no authentication, and two very reliable exploits have already been published online. Also, vulnerable servers are easy to discover through simple web scanning. "Struts 2 is a Java framework that is commonly used by Java-based web applications," reports SANS ISC in their blog. "It is also known as 'Jakarta Struts' and 'Apache Struts.' The Apache project currently maintains Struts." Cisco Talos also has a blog detailing the attack.

Re: FP!

Whoever chose struts 2 back then probably deserve it

Re: FP!

Whoever chose struts 2 back then probably deserve it

Maybe not for the 6 months in which it was relevant, but for the 13[1] years where all java sweatshops kept on using that piece of shit yes, they deserve it.

[1]not a precise number

1999 was Apache Tomcat. Maybe earlier

[raymorris]

In 1999 the Apache Foundation got Tomcat, given to them by Sun. That may have been Apache's first project other than httpd.

What annoys me is that people I work with call all of the 50 or so different projects "Apache", without further specification. I'm well-versed in the Apache httpd code, I've contributed patches and I know configuration tricks and such. So when someone says "I'm having trouble with Apache" I go over to help, only to discover they're working on some Java thing.

Re:1999 was Apache Tomcat. Maybe earlier

[DrXym]

I'm having trouble opening an MS Word document in Apache. The paragraphs are indented wrong and some diagrams are missing. Can you help?

Last link in the summary includes Windows payload

[raymorris]

The last link in the summary (Cisco Talos) includes a Windows payload.

Click-bait headlines

Seriously, the last thing I think of when someone says Apache Servers is Struts, Tomcat, Java or anything else but Apache HTTPD.

Saying that "Apache Servers" are under "attack" and being exploited through a "Struts 2" flow is misleading to most of the world who does not know or care about Struts and just runs plain-jane websites.

This is not Apache Server issue - just Struts 2!

[kiviQr]

This is not Apache Server issue. It is Struts 2 (that is under Apache umbrella) .

Re:uh

[RabidReindeer]

Apache HTTPD - more commonly known as simply "Apache" is the flagship product of the Apache Foundation.

But they took over the Tomcat J2EE server and spread out into an entire Java domain - "Jakarta".

Jakarta Tomcat is now known as Apache Tomcat, however, and most of the other jakarta projects have been made into "apache" projects.

And yes, as a Tomcat support person, I do find it annoying that clueless people will ask me questions about "apache" and the first thing I have do do is figure out which Apache they are talking about. Especially since it's very common for Apache HTTPD to reverse proxy one or more Apache Tomcat servers and they may be referring to both as though it was one product.

Struts2 idiocy.

[prunus.avium]

This is a lesson in sanitizing inputs.

What happens is that the OGNL interpreter can get started with the HTTP headers as the input. Sepcifically the "Content-Type" header.

Why anyone thought that using a full on interpreter to parse a string attribute was a good idea is beyond me.