Update: 2:33 pm EST, 16 March 2017 - Struts2 Exploits in Japan
- Japan Post breach using Apache Struts2 vulnerability leads to 29,000 account leaks: http://exci.to/2mqMAwU
- Struts2 exploit of Okinawa electric power site leads to unauthorized access, email addresses outflow of about 6,500 accounts http://dlvr.it/Ndv4XY
- Hacker Exploits Apache Struts2 Vulnerability in Statistics Canada Site http://bit.ly/2njlDiX via @Motherboard http://metacurity.com/#298562
- Canada Revenue Agency breach covered here: http://securityaffairs.co/wordpress/57130/hacking/cra-apache-struts-hack.html
Update: 11:00am EST, 16 March 2017 - Podcast interview
Listen to Brian Fox and Shannon Lietz talk about the struts 2 vulnerabiy announcement, how you can determine if you're affected, and what you can do about it.
Update: 9:00am EST, 13 March 2017 - Video explaining exploits and remediation
Update: 3:00pm EST, 10 March 2017 - Speed Matters
When it comes to 0-day vulnerabilitities, speed matters. Sonatype's research team curates our data and publishes information on the vulnerability, known exploits, and remediation paths as quickly as possible.
As of 3:00pm EST, the National Vulnerability Database indicates a pending CVE, but details have not yet been updated.
Update: 5:35pm EST, 09 March 2017 - Prevelance of Apache Struts2
Deep analysis of Central Repository downloads by Sonatype's research team today revealed the following data points for Apache Struts2. This data covers calendar year 2016:
- 2,401 GAVs related to the Struts project were downloaded a total of 13,108,383 times.
- 654 of those GAVs were vulnerable.
- The vulnerable GAVs were downloaded 4,616,476 times (35% of all Struts downloads).
Update: 3:30pm EST, 09 March 2017 - Issue Report and Remediation Guidance
Earlier today, Sonatype's data research team updated the data service feeding continuous updates to our customers who use Nexus Repository, Nexus Firewall, and Nexus Lifecycle. While we normally do not share this data publicly, the high profile nature of this vulnerability deserves more public attention. For this reason, we are sharing the advisory details:
Source - National Vulnerability Database
The struts2-core component is vulnerable to Remote Code Execution (RCE) when using the Jakarta Multipart parser. When Struts receives a request that causes an error message that doesn't have an existing error key, it will throw an exception that is displayed to the user. The Content-Type header of the request is used in this process in such a way that allows injected code to be executed. An attacker can exploit this vulnerability by uploading a file with an invalid Content-Type request header that contains malicious code that will be executed by Struts.
The vulnerable functionality is found in the buildErrorMessage function in JakartaStreamMultiPartRequest.java, MultiPartRequestWrapper.java, and JakartaMultiPartRequest.java in the 2.3.X versions and 2.5.X prior to 2.5.8. As of 2.5.8, the vulnerable functionality is found in the intercept function found inFileUploadInterceptor.java.
The application is vulnerable by using this component with the Jakarta Multipart parser.
We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Alternatively, change Strut's Multipart parser to something other than Jakarta. Other implementations can be found here: https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries
If neither of these are viable options, one could also filter the Content-Type header for unexpected values that do match multipart/form-data before it is received by the Struts application.
Data
Functional
Update: 2:25pm EST, 09 March 2017: News
Recent stories on the news service wires on struts2 vulnerability
- Waratek makes virtual patch available for new Struts 2 vulnerability CVE-2017-5638
- Hackers exploit Apache Struts vulnerability to compromise corporate web servers
- Apache Struts 2 needs patching, without delay. It's under attack now
- Attacks heating up against Apache struts 2 vulnerability
- Critical vulnerability under “massive” attack imperils high-impact sites [Updated]
Update 1:05pm EST, 09 March 2017: Live Broadcast Scheduled
Live Broadcast, March 10th at 11 am EST - Expert Analysis: Apache Struts2 Vulnerability
Join this live broadcast as security experts talk about the struts2 vulnerability announcement this week: What is it, how it can affect you, what you can do about it.
Update 11:25am EST, 08 March 2017: How to see if your application is vulnerable
Get a free application health check report to see if your application is vulnerable.
Nexus Repository Pro customers can run a detailed repository health check to instantly determine if the Stuts2 vulnerability exists within their software supply chain.
Update 9:55am EST, 08 March 2017: Struts2 vulnerability
Attackers are widely exploiting a new vulnerability in Apache Struts2 that allows them to remotely execute malicious code on web servers.
Apache Struts2 is an open-source web development framework for Java web applications. It's widely used to build corporate websites in sectors including education, government, financial services, retail and media.
The vulnerability is easy to exploit and allows attackers to execute system commands with the privileges of the user running the web server process.Companies who use Apache Struts on their servers should upgrade the framework to versions 2.3.32 or 2.5.10.1 as soon as possible.
Additional detailed remediation guidance will be made available today by Sonatype. Check back here for updates throughout the day.
