Background

Apache Struts 2 is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture.

On April 24th the Apache Struts project released an advisory for a remote code execution vulnerability affecting all versions of Struts between 2.0.0 and 2.3.16.1. Struts 2.3.16.2 (the latest release) is not vulnerable.

http://struts.apache.org/announce.html

What does the flaw allow the attacker to achieve?

The vulnerability allows the attacker to gain remote code execution on the affected server, effectively providing the attacker with an interactive command shell which can be used to pivot onto corporate networks from externally facing webservers.

Which services are likely to be affected?

Apache Struts 2 version 2.0.0-2.3.16.1 running on all versions of Tomcat 6, 7, and 8.
Struts 2.3.16.2 (the latest release) is not vulnerable.

How to discover if you are affected by the Apache Struts vulnerability

Apache Struts 2 vulnerability discovery using AppCheck:

The AppCheck Web Application and Infrastructure Vulnerability Scanner has already been updated with a plugin to detect the flaw. Infrastructure and Web Applications will also be scanned for all other classes of vulnerability including missing patches, SQL Injection, and Cross Site Scripting.

Exploit

AppCheck Researcher Matthew Hall has created a Metasploit module to exploit this vulnerability using JSP file injection over the SMB protocol. This module can be used to test for Windows servers running the affected version of Struts 2. The code is available at:

https://github.com/rapid7/metasploit-framework/pull/3323

An independent researcher has also created a separate module for this issue to test Linux based Apache Tomcat servers running the affected version of Struts 2. The code is available at:

https://github.com/rapid7/metasploit-framework/pull/3314