Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache Servers Under Attack Through Easily Exploitable Struts 2 Flaw (helpnetsecurity.com)

Posted by BeauHD on from the no-authentication-required dept.

Orome1 quotes a report from Help Net Security: A critical vulnerability in Apache Struts 2 is being actively and heavily exploited, even though the patch for it has been released on Monday. The vulnerability (CVE-2017-5638) affects the Jakarta file upload Multipart parser in Apache Struts 2. It allows attackers to include code in the "Content-Type" header of an HTTP request, so that it is executed by the web server. Almost concurrently with the release of the security update that plugs the hole, a Metasploit module for targeting it has been made available. Unfortunately, the vulnerability can be easily exploited as it requires no authentication, and two very reliable exploits have already been published online. Also, vulnerable servers are easy to discover through simple web scanning. "Struts 2 is a Java framework that is commonly used by Java-based web applications," reports SANS ISC in their blog. "It is also known as 'Jakarta Struts' and 'Apache Struts.' The Apache project currently maintains Struts." Cisco Talos also has a blog detailing the attack.

6 of 63 comments (clear)

  1. Re: FP! by Anonymous Coward · · Score: 4, Insightful

    Whoever chose struts 2 back then probably deserve it

    Maybe not for the 6 months in which it was relevant, but for the 13[1] years where all java sweatshops kept on using that piece of shit yes, they deserve it.

    [1]not a precise number

  2. 1999 was Apache Tomcat. Maybe earlier by raymorris · · Score: 4, Insightful

    In 1999 the Apache Foundation got Tomcat, given to them by Sun. That may have been Apache's first project other than httpd.

    What annoys me is that people I work with call all of the 50 or so different projects "Apache", without further specification. I'm well-versed in the Apache httpd code, I've contributed patches and I know configuration tricks and such. So when someone says "I'm having trouble with Apache" I go over to help, only to discover they're working on some Java thing.

    1. Re:1999 was Apache Tomcat. Maybe earlier by DrXym · · Score: 3, Funny

      I'm having trouble opening an MS Word document in Apache. The paragraphs are indented wrong and some diagrams are missing. Can you help?

  3. Click-bait headlines by Anonymous Coward · · Score: 4, Insightful

    Seriously, the last thing I think of when someone says Apache Servers is Struts, Tomcat, Java or anything else but Apache HTTPD.

    Saying that "Apache Servers" are under "attack" and being exploited through a "Struts 2" flow is misleading to most of the world who does not know or care about Struts and just runs plain-jane websites.

  4. This is not Apache Server issue - just Struts 2! by kiviQr · · Score: 4, Informative

    This is not Apache Server issue. It is Struts 2 (that is under Apache umbrella) .

  5. Struts2 idiocy. by prunus.avium · · Score: 3, Insightful

    This is a lesson in sanitizing inputs.

    What happens is that the OGNL interpreter can get started with the HTTP headers as the input. Sepcifically the "Content-Type" header.

    Why anyone thought that using a full on interpreter to parse a string attribute was a good idea is beyond me.