Warning over Apache Struts 2 remote-code execution vulnerability seen being exploited in the wild

Apache users urged to update ASAP as evidence emerges of increasingly widespread attacks

Users of the Apache web server have been urged to patch their systems after exploits taking advantage of a remote-code execution vulnerability emerged in the Struts 2 Java web application framework.

The exploit affects the Apache Struts web development framework for Java web applications. The Apache Foundation, the open-source organisation that maintains the popular web server and its associated plug-ins, patched the vulnerability on Monday - but exploits taking advantage of the security flaw emerged within hours.

The vulnerability was uncovered and reported by a developer in China, Nike Zheng. It affects the Jakarta-based file upload Multipart parser in Apache Struts 2, and enables attackers to conduct simple attacks by including instructions in the "content-type" header of an HTTP request, which are then executed by the web server.

In addition to patching, users have been advised to "implement a Servlet filter which will validate Content-Type and throw away request with suspicious values not matching multipart/form-data", according to the security bulletin published on Monday.

Security specialists at both the SANS Internet Storm Center (SANS ICS) and Cisco Talos claim to have witnessed exploitation attempts since the flaw was publicised earlier this week. The attacks have escalated as the week has gone on because attacks are relatively simple to execute.

"Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts," wrote Cisco Talos 'outreach engineer' Nick Biasini on the company's Intelligence Group Blog.

He continued: "Talos began investigating for exploitation attempts and found a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released proof-of-concept that is being used to run various commands.

"Talos has observed simple commands (ie. whoami) as well as more sophisticated commands including pulling down a malicious ELF executable and execution."

Biasini describes a number of relatively simple attacks that are effective, taking advantage of the exploit.