Search News Articles

Apache Struts 2 zero-day is being exploited in the wild

Note: this is a reprint of March 13, 2017, The Inquirer article. The original article can be found here

Users urged to update ASAP as evidence emerges of increasingly widespread attacks.

USERS OF THE Apache web server have been urged to update their systems after exploits taking advantage of a remote-code execution vulnerability emerged in the Struts 2 Java web application framework.

The exploit affects the Apache Struts web development framework for Java web applications. The Apache Foundation, the open-source organization that maintains the popular web server and its associated plug-ins, patched the vulnerability on Monday but exploits taking advantage of the security flaw emerged within hours.

The vulnerability was uncovered and reported by a developer in China, Nike Zheng. It affects the Jakarta-based file upload Multipart parser in Apache Struts 2 and enables attackers to conduct simple attacks by including instructions in the "content-type" header of an HTTP request, which are then executed by the web server.

In addition to patching, users have been advised to "implement a Servlet filter which will validate Content-Type and throw away request with suspicious values not matching multipart/form-data", according to the security bulletin published on Monday.

Security specialists at both the SANS Internet Storm Center (SANS ICS) and Cisco Talos claim to have witnessed exploitation attempts since the flaw was publicised earlier this week. The attacks have escalated as the week has gone on because attacks are relatively simple to execute.

"Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts," wrote Cisco Talos 'outreach engineer' Nick Biasini on the company's Intelligence Group Blog

"Talos began investigating for exploitation attempts and found a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released proof-of-concept that is being used to run various commands. 

"Talos has observed simple commands (ie. whoami) as well as more sophisticated commands including pulling down a malicious ELF executable and execution."

Biasini describes a number of relatively simple attacks that are effective, taking advantage of the exploit.

In The News is brought to you by WinMill Software, the premier resource for systems development and integration, expert consulting, quality assurance, technology infrastructure, and software resale. For more information, contact a WinMill Account Manager at or 1-888-711-MILL (6455).