Hackers exploit Apache Struts vulnerability to compromise corporate web servers

Attackers are widely exploiting a recently patched vulnerability in Apache Struts that allows them to remotely execute malicious code on web servers.

Apache Struts is an open-source web development framework for Java web applications. It’s widely used to build corporate websites in sectors including education, government, financial services, retail and media.

On Monday, the Apache Struts developers fixed a high-impact vulnerability in the framework’s Jakarta Multipart parser. Hours later, an exploit for the flaw appeared on Chinese-language websites and this was almost immediately followed by real-world attacks, according to researchers from Cisco Systems.

The vulnerability is very easy to exploit and allows attackers to execute system commands with the privileges of the user running the web server process. If the web server is configured to run as root, the system is completely compromised, but executing code as a lower-privileged user is also a serious security threat.

What’s even worse is that the Java web application doesn’t even need to implement file upload functionality via the Jakarta Multipart parser in order to be vulnerable. According to researchers from Qualys, the simple presence on the web server of this component, which is part of the Apache Struts framework by default, is enough to allow exploitation.

“Needless to say we think this is a high priority issue and the consequence of a successful attack is dire,” said Amol Sarwate, director of Vulnerability Labs at Qualys, in a blog post.

Companies who use Apache Struts on their servers should upgrade the framework to versions 2.3.32 or 2.5.10.1 as soon as possible.

Researchers from Cisco Talos have observed “a high number of exploitation events.” Some of them only execute the Linux command whoami to determine the privileges of the web server user and are probably used for initial probing. Others go further and stop the Linux firewall and then download an ELF executable that’s executed on the server.

“The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the bill gates botnet,” the Talos researchers said in a blog post.

According to researchers from Spanish outfit Hack Players, Google searches indicate 35 million web applications that accept “filetype:action” uploads and a high percentage of them are likely vulnerable.

It’s somewhat unusual that attacks have started so quickly after the flaw was announced and it’s not yet clear whether an exploit for the vulnerability already existed in closed circles before Monday. 

Users who can’t immediately upgrade to the patched Struts versions can apply a workaround that consists of creating a Servlet filter for Content-Type that would discard any requests not matching multipart/form-data. Web application firewall rules to block such requests are also available from various vendors.