CVE-2017-5638 is a critical vulnerability in the Apache Struts 2 web app framework. Attacks have escalated as hackers exploit this code-execution bug.
Attacks on Apache Struts 2 have escalated over the past couple of days as hackers exploit CVE-2017-5638. This critical vulnerability allows attackers to exploit a code-execution bug in the web application framework. Although a patch was available on Monday, hackers have been exploiting it on Struts implementations that don’t have the update installed yet. There are (at least) two working exploits publicly available, making it relatively simple to take control of web servers in a wide variety of industries.
While NIST has only had a placeholder for the CVE-2017-5638 vulnerability, we have been reporting on it to customers who have used this component since Monday (the same day the patch was released), through our Enhanced Vulnerability Data (EVD).
Obviously, zero-day vulnerabilities are a problem, in particular when an exploit is publicly available as in this case. By definition, no patch exists for zero-day vulnerabilities, and the CVE-2017-5638 vulnerability makes it simple for even lesser skilled attackers to make trouble. A vulnerability in a component as popular as Apache Struts creates a very target-rich environment for attackers with exploits already reported to be in the wild.
Fortunately, the community was quick to create, test, and release a patch. Unfortunately, it is likely that the CVE-2017-5638 vulnerability will cause problems for years to come. Our 2016 analysis of open source audits showed the average age of vulnerabilities in open source used in commercial applications was over five years old, and over 10% of codebases still were vulnerable to Heartbleed.
This is evidence that even well-publicized vulnerabilities are not being addressed. As to this issue, last year we found Apache Struts in over 10% of the applications we tested. When Struts was used, almost 20% of the time we found multiple versions of Struts in a single application, and almost 10% had three or more versions, further complicating remediation for a vulnerability like this. Unless organizations are diligent about tracking the open source they are using, and learning more about vulnerabilities as they are disclosed, these issues don’t get addressed.
This post was originally published on March 10, 2017 and refreshed Sept. 14, 2017.