Apache Struts 2 is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture.
On April 24th the Apache Struts project released an advisory for a remote code execution vulnerability affecting all versions of Struts between 2.0.0 and 184.108.40.206. Struts 220.127.116.11 (the latest release) is not vulnerable.
The vulnerability allows the attacker to gain remote code execution on the affected server, effectively providing the attacker with an interactive command shell which can be used to pivot onto corporate networks from externally facing webservers.
Apache Struts 2 version 2.0.0-18.104.22.168 running on all versions of Tomcat 6, 7, and 8.
Struts 22.214.171.124 (the latest release) is not vulnerable.
Apache Struts 2 vulnerability discovery using AppCheck:
The AppCheck Web Application and Infrastructure Vulnerability Scanner has already been updated with a plugin to detect the flaw. Infrastructure and Web Applications will also be scanned for all other classes of vulnerability including missing patches, SQL Injection, and Cross Site Scripting.
AppCheck Researcher Matthew Hall has created a Metasploit module to exploit this vulnerability using JSP file injection over the SMB protocol. This module can be used to test for Windows servers running the affected version of Struts 2. The code is available at:
An independent researcher has also created a separate module for this issue to test Linux based Apache Tomcat servers running the affected version of Struts 2. The code is available at:
No software to download or install.
Contact us or call us 0113 887 8380