News and Notes from the Makers of Nexus | Sonatype Blog

Apache Struts Vulnerability: Live Updates

Written by Matt Howard | March 16, 2017
 

Update: 2:33 pm EST, 16 March 2017 - Struts2 Exploits in Japan

 
More Struts2 breaches in the wild.  This time in Japan (links go to Japanese sites):
 
  • Japan Post breach using Apache Struts2 vulnerability leads to 29,000 account leaks: http://exci.to/2mqMAwU 
  • Struts2 exploit of Okinawa electric power site leads to unauthorized access, email addresses outflow of about 6,500 accounts http://dlvr.it/Ndv4XY
Yesterday, it was the Canadian Revenue Agency and Statistics Canada site:
 
According to several news reports, the government of Canada took multiple sites down on March 9 including Statistics Canada as well as the Canada Revenue Agency (CRA) websites, with service not restored until March 12.
 
 

Update: 11:00am EST, 16 March 2017 - Podcast interview

Listen to Brian Fox and Shannon Lietz talk about the struts 2 vulnerabiy announcement, how you can determine if you're affected, and what you can do about it.

 

Update: 9:00am EST, 13 March 2017 - Video explaining exploits and remediation

 

Update:  3:00pm EST, 10 March 2017 - Speed Matters

When it comes to 0-day vulnerabilitities, speed matters.  Sonatype's research team curates our data and publishes information on the vulnerability, known exploits, and remediation paths as quickly as possible.

As of 3:00pm EST, the National Vulnerability Database indicates a pending CVE, but details have not yet been updated.  

 

 

Update:  5:35pm EST, 09 March 2017 - Prevelance of Apache Struts2

Deep analysis of Central Repository downloads by Sonatype's research team today revealed the following data points for Apache Struts2.  This data covers calendar year 2016:

  • 2,401 GAVs related to the Struts project were downloaded a total of 13,108,383 times.
  • 654 of those GAVs were vulnerable.
  • The vulnerable GAVs were downloaded 4,616,476 times (35% of all Struts downloads).

 

Update:  3:30pm EST, 09 March 2017 - Issue Report and Remediation Guidance

Earlier today, Sonatype's data research team updated the data service feeding continuous updates to our customers who use Nexus Repository, Nexus Firewall, and Nexus Lifecycle.  While we normally do not share this data publicly, the high profile nature of this vulnerability deserves more public attention.  For this reason, we are sharing the advisory details:

CVE-2017-5638

Source - National Vulnerability Database

Severity - CVSS:3.0: 9.8
 
Description from CVE
Reserved CVE.
Explanation

The struts2-core component is vulnerable to Remote Code Execution (RCE) when using the Jakarta Multipart parser. When Struts receives a request that causes an error message that doesn't have an existing error key, it will throw an exception that is displayed to the user. The Content-Type header of the request is used in this process in such a way that allows injected code to be executed. An attacker can exploit this vulnerability by uploading a file with an invalid Content-Type request header that contains malicious code that will be executed by Struts.

The vulnerable functionality is found in the buildErrorMessage function in JakartaStreamMultiPartRequest.java, MultiPartRequestWrapper.java, and JakartaMultiPartRequest.java in the 2.3.X versions and 2.5.X prior to 2.5.8. As of 2.5.8, the vulnerable functionality is found in the intercept function found inFileUploadInterceptor.java.

Detection

The application is vulnerable by using this component with the Jakarta Multipart parser.

Recommendation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Alternatively, change Strut's Multipart parser to something other than Jakarta. Other implementations can be found here: https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries

If neither of these are viable options, one could also filter the Content-Type header for unexpected values that do match multipart/form-data before it is received by the Struts application.

Categories

Data
Functional

 

Update: 2:25pm EST, 09 March 2017: News

Recent stories on the news service wires on struts2 vulnerability

Update 1:05pm EST, 09 March 2017: Live Broadcast Scheduled

Live Broadcast, March 10th at 11 am EST - Expert Analysis: Apache Struts2 Vulnerability

Join this live broadcast as security experts talk about the struts2 vulnerability announcement this week: What is it, how it can affect you, what you can do about it. 

Update 11:25am EST, 08 March 2017: How to see if your application is vulnerable

Get a free application health check report to see if your application is vulnerable.

Nexus Repository Pro customers can run a detailed repository health check to instantly determine if the Stuts2 vulnerability exists within their software supply chain.

Update 9:55am EST, 08 March 2017: Struts2 vulnerability

Attackers are widely exploiting a new vulnerability in Apache Struts2 that allows them to remotely execute malicious code on web servers.

Apache Struts2 is an open-source web development framework for Java web applications. It's widely used to build corporate websites in sectors including education, government, financial services, retail and media.

The vulnerability is easy to exploit and allows attackers to execute system commands with the privileges of the user running the web server process.Companies who use Apache Struts on their servers should upgrade the framework to versions 2.3.32 or 2.5.10.1 as soon as possible.

Additional detailed remediation guidance will be made available today by Sonatype.  Check back here for updates throughout the day.