The well-known open source web application framework Apache Struts 2 is being actively exploited in the wild allowing hackers to launch a remote code execution attack. To address this issue, Apache has issued a security advisory and CVE-2017-5638 has been assigned to it. The zero-day bug has been rated with the highest severity rating ‘High’. The proof of concept can be found here. The open source Struts framework is being used widely by organizations across the globe making it favorable for hackers to exploit this vulnerability.
The vulnerability is triggered by sending a crafted ‘Content-Type’ HTTP header. The Jakarta multipart parser fails to validate the file upload which allows attackers to carry out the remote code execution. The ‘Content-type’ HTTP header is injected with arbitrary commands in the field #cmd. The injected command gets executed on the vulnerable servers.
Quick Heal Detections
Quick Heal has released the following IPS detection for the vulnerability CVE-2017-5638.
Some of the reported payloads dropped by exploiting this vulnerability have been detected by Quick Heal as:
The high-profile zero-day vulnerability is currently patched by Apache Struts. We strongly recommend users to upgrade their Apache Struts installation to Struts 2.3.32 or Struts 18.104.22.168 as per the advisory and also apply the latest security updates by Quick Heal.
• Vishal Singh
• Pradeep Kulkarni
– Threat Research and Response Team