We are going to focus on a recent vulnerability whose exploit has been making its way around the Internet in the past few weeks: Apache Struts.
So, in this week’s episode, we are going to answer three questions in just a minute or two. First, what is Apache Struts? Second, what exactly is the vulnerability being exploited? And, third, how does the exploit work?
So, why is Apache Struts? Well, we aren’t talking about a mechanical part on the Army’s helicopters, here, we are talking about an open-source web application framework used for developing Java EE web applications. Basically, it is used by web developers to adopt a model-view-controller architecture, allowing a Java Servlet to interact with the database on behalf of the webpage form.
So, what is the vulnerability that has been identified? Well, in CVE-2017-5638, the vulnerability has been identified as permitting unauthenticated Remote Code Execution (RCE) through a specially crafted Content-Type value in an HTTP request. Basically, the attacker creates an invalid value for Content-Type which causes the vulnerable software to throw an exception, but when the software attempts to prepare the error message for display, a flaw in the Apache Struts Jakarta Multipart parser causes the malicious Content-Type value to be executed instead of being displayed.
So, how does the exploit work? Well, when the Content-Type is executed, this allows the attacker to then run a payload, normally shell code, to cause the hacker’s desired effect.
This particular exploit was first spotted on March 7th from a host in Zhengzhou, China. Essentially, the exploit appears to be a standard command injection or remote code execution attack against a web server. The next day, a different variation was seen, where an attacker from Shanghai, China modified the original attack to also attempt to stop a firewall on the service first, then attempt to download and execute some malicious remote code.
So, how can you prevent this vulnerability and exploit from affecting you? Well, first you should determine if you are running the affected versions of Struts (2.3.5 – 2.3.31 and 2.5 – 2.5.10). If you are, please upgrade to Struts 2.3.32 or 18.104.22.168, which are patched against this vulnerability. Also, if you have compiled an application using the vulnerable version of Struts, you may wish to look at recompiling those programs after you have upgraded Struts to ensure the vulnerability hasn’t been transferred into yours compile software in a production environment.
I hope you enjoyed this weeks Cyber Security Minute. If you have a question for the Cyber Security Minute, please post it in the comments below and I look forward to seeing you here next Monday on the Cyber Security Minute.
Visit https://www.JasonDion.com for cyber security information, certification exam prep courses, and more.
** Network+ (N10-006): Full Course on Udemy (90% off, only $10) **
** Anatomy of a Cyber Attack on Udemy (90% off, only $15) **