At this time, hackers are actively exploiting the critical Apache Struts 2 zero-day vulnerability and are able to take complete control of web servers. Run a scan using software composition analysis to see whether you’re using any version of Struts 2 and whether you need to upgrade now.
It has been more than 48 hours since this attack was made public. At this time, hackers are actively exploiting the critical vulnerability and are able to take complete control of web servers. Several sources have been discussing details for exploiting this vulnerability.
Rather than focusing on how to exploit it here, we will ensure that you are able to find out whether you are using vulnerable versions and how to prevent this vulnerability in the future.
The critical bug CVE-2017-5638 is clearly documented in the Metasploit Framework on their GitHub site. The bug is also very easy to exploit. It requires no authentication in the Apache Struts 2 web application framework. The bug appears within the upload function of the Jakarta Multipart parser.
Nike Zheng posted a PoC showing how easy it was to inject operating system commands using Apache Struts 2.
Struts 22.214.171.124 was released on March 7 with a patch for this exact same issue.
The Apache Struts release page mentions this as a potential security vulnerability. It also mentions the possibility of remote code execution when performing file uploads based on Jakarta Multipart parser – S2-045. This may have been misleading to many companies.
Even if your application has no file upload functionality, hackers can still exploit the bug, which is troublesome. The security rating given is ‘High.’ However, since the attack requires no authentication or even the file upload functionality to be implemented in an application, it should have been classified as a ‘Critical’ bug.
A remote code execution (RCE) vulnerability may give an attacker the possibility to execute arbitrary code on the affected system. Thus, compromising the vulnerable application server. An attacker can use this to gain an initial foothold on the system after which an attacker usually tries to gain more privileges and install backdoors for future use. RCE vulnerabilities can also be used for denial of service and information leakage, and in the case of the Struts 2 vulnerability, it’s able to turn off the firewall on application servers and execute malicious payloads.
The impact of a well-executed remote code execution is devastating, as we’ve seen with the Struts 2 vulnerability in the past 48 hours. It gives an attacker the possibility to copy files and execute the files on the affected host. This can later disable the firewall when the system boots.
If you already have a solid open source management system and have automated the solution, it should be trivial to find out if you are using the affected versions.
If not, look at the inventory of all the open source software your organization is using. Run scans using software composition analysis (SCA) tools such as Black Duck to identify the Struts version you are using.
If you determine that you are using the vulnerable versions Struts 2.3.5 – 2.3.31 and Struts 2.5 – 2.5.10, upgrade to Apache Struts version 2.3.32 or 126.96.36.199.
Most component projects do not create vulnerability patches for old versions. Instead, most simply fix the problem in the next version like Apache Struts did. Upgrading to these new versions 2.3.32 or 188.8.131.52 is critical.
Since there is no backward compatibility issue, upgrading the version should be fairly trivial.
Unpatched system software is a huge problem that is compounded by the fact that an attacker can easily figure out which version of the software your system is running. Once this information is pieced together, they simply look up published vulnerabilities that apply to your system.
Here are some key points to remember to make sure open source software in use within your firm is secure:
Meera Rao (Subbarao) is a senior director for product management (DevOps solutions) at Synopsys. She has over 20 years of experience in software development organizations in a variety of roles including Architect, Lead Developer, Project Manager, and Security Architect. Meera has overseen and performed secure code reviews, static analysis implementations, architectural risk analyses, secure design reviews, and threat modeling of systems built from a few thousand lines of code to systems containing tens of millions of lines of code. She has developed multiple Synopsys training courses and is a certified instructor in architectural risk analysis, threat modeling, and more.