Q
Problem solve Get help with specific problems with your technologies, process and projects.

Why is the patched Apache Struts vulnerability still being exploited?

An Apache Struts vulnerability is still being exploited, even though it has already been patched. Expert Nick Lewis explains why the Struts platform still carries risk for users.

A remote code execution vulnerability in the open source Apache Struts framework is being exploited in the wild,...

despite having been patched. What is the Apache Struts vulnerability, and how is it still being exploited even after it has been patched?

A good remote code execution vulnerability is the holy grail of vulnerabilities. Finding a remote code execution vulnerability that allows an actor to control the vulnerable software with root privileges is the pièce de résistance.

Apache Struts is a free, open source, model-view-controller framework for creating elegant and modern Java web applications, and enterprises sometimes use it to develop web applications.

However, despite the importance of not running software as root, that security control is sometimes skirted for legitimate reasons -- and other times, it's because someone couldn't figure out how to correctly run the software. The recently discovered Apache Struts vulnerability demonstrates that attackers are probing the internet looking for vulnerable systems.

The latest Apache Struts vulnerability was found in the file upload function provided by the Jakarta Multipart parser. The parser improperly processes a file upload request to allow a remote attacker to execute arbitrary commands by adding the string #cmd=[command] in the HTTP header.

The ability to execute commands this way is almost as good, for an attacker, as getting a remote shell on a vulnerable server, since the attacker can execute any command on the target system that the Struts user is allowed to run.

Cisco Talos reported that attackers used simple commands, including whoami, to discover the privilege level of the user running the service, and ifconfig to reveal network configurations. Other, more aggressive attacks with malicious payloads were also observed.

An updated version that patches the Apache Struts vulnerability was released in March 2017, and it is still being applied to vulnerable systems -- which is how attackers are still able to exploit the vulnerability.

Other than applying the patch, enterprises should ensure their software is running with minimal privileges, that they have comprehensive vulnerability scanning in place to identify systems to patch and that they have network tools to identify attacks like this.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Find out how the Apache Struts vulnerability affected VMware

Learn how the Linux ip command differs from ifconfig

Read about how enterprises can benefit from automatic patching

This was last published in August 2017

Dig Deeper on Open source security tools and software

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How have you dealt with the Apache Struts vulnerability?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close