New Apache Struts Zero Day Vulnerability Discovered
On the 6th March 2017 information security researchers have discovered a Zero-Day vulnerability in Apache Struts web application framework, which is being actively exploited in the wild and is under active attack. Apache Struts is a free, open-source, Model-View-Controller (MVC) framework for creating elegant, modern Java web applications, which supports REST, AJAX, and JSON
According to the researchers, the issue is a remote code execution vulnerability in the Jakarta Multipart parser of Apache Struts that could allow an attacker to execute malicious commands on the server when uploading files based on the parser.
“It is possible to perform an RCE attack with a malicious Content-Type value,” warned Apache. “If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user.”
An example of one attack, which attempts to copy the file to a harmless directory, ensure the executable runs, and that the firewall is disabled on boot-up, is below:
The vulnerability has now been patched by Apache, so if any users are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 126.96.36.199. You can also switch to a different implementation of the Multipart parser.
Additionally AppCheck would also recommend that you run a vulnerability assessment to ensure your systems are not vulnerable.
As soon as the vulnerability was disclosed, the AppCheck research and development team wrote a plugin to ensure the vulnerability would be detected and reported. To simplify the remediation process AppCheck was updated within hours of the public disclosure to correctly identify the flaw as a known vulnerability.