X CLOSE

Enter your email below to sign up for latest updates from Appcheck NG.

CLOSE

Simply complete the info below and we'll send you all you need to activate AppCheck NG and undertake your FREE scan.

Please enter individual IP addresses or ranges

Please enter full URLs for your web applications, and both http and https where appropriate

New Apache Struts Zero Day Vulnerability Discovered


New Apache Struts Zero Day Vulnerability Discovered

On the 6th March 2017 information security researchers have discovered a Zero-Day vulnerability in Apache Struts web application framework, which is being actively exploited in the wild and is under active attack. Apache Struts is a free, open-source, Model-View-Controller (MVC) framework for creating elegant, modern Java web applications, which supports REST, AJAX, and JSON

According to the researchers, the issue is a remote code execution vulnerability in the Jakarta Multipart parser of Apache Struts that could allow an attacker to execute malicious commands on the server when uploading files based on the parser.

“It is possible to perform an RCE attack with a malicious Content-Type value,” warned Apache. “If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user.”

An example of one attack, which attempts to copy the file to a harmless directory, ensure the executable runs, and that the firewall is disabled on boot-up, is below:

The vulnerability has now been patched by Apache, so if any users are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1. You can also switch to a different implementation of the Multipart parser.

Additionally AppCheck would also recommend that you run a vulnerability assessment to ensure your systems are not vulnerable.

As soon as the vulnerability was disclosed, the AppCheck research and development team wrote a plugin to ensure the vulnerability would be detected and reported. To simplify the remediation process AppCheck was updated within hours of the public disclosure to correctly identify the flaw as a known vulnerability.