Apache Struts Vulnerability – Use AppCheck NG to Discover if You Are Affected
Security Alerts / Posted July 16, 2014
Apache Struts 2 is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture.
On April 24th the Apache Struts project released an advisory for a remote code execution vulnerability affecting all versions of Struts between 2.0.0 and 126.96.36.199. Struts 188.8.131.52 (the latest release) is not vulnerable.
What does the flaw allow the attacker to achieve?
The vulnerability allows the attacker to gain remote code execution on the affected server, effectively providing the attacker with an interactive command shell which can be used to pivot onto corporate networks from externally facing webservers.
Which services are likely to be affected?
Apache Struts 2 version 2.0.0-184.108.40.206 running on all versions of Tomcat 6, 7, and 8.
Struts 220.127.116.11 (the latest release) is not vulnerable.
How to discover if you are affected by the Apache Struts vulnerability
Apache Struts 2 vulnerability discovery using AppCheck:
The AppCheck Web Application and Infrastructure Vulnerability Scanner has already been updated with a plugin to detect the flaw. Infrastructure and Web Applications will also be scanned for all other classes of vulnerability including missing patches, SQL Injection, and Cross Site Scripting.
AppCheck Researcher Matthew Hall has created a Metasploit module to exploit this vulnerability using JSP file injection over the SMB protocol. This module can be used to test for Windows servers running the affected version of Struts 2. The code is available at:
An independent researcher has also created a separate module for this issue to test Linux based Apache Tomcat servers running the affected version of Struts 2. The code is available at:
Get started with Appcheck
No software to download or install.
Contact us or call us 0113 887 8380