UPDATED 23:24 EST / MARCH 09 2017

INFRA

Critical Apache Struts 2 web server vulnerability targeted by hackers

Hackers are targeting a recently revealed critical zero-day vulnerability in the Apache Struts 2 framework that is used in millions of web servers employed by banks, government agencies and large Internet companies.

The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts 2 that allows hackers to inject malicious commands into certain HTTP requests, which are then executed by the Web server.

Researchers at the Cisco Systems Inc.-owned Talos wrote in a blog post that they have observed a “high number of exploitation events” by hackers attempting to carry out a variety of malicious acts. They included using the flaw to make the targeted server distribute malware, including IRC bouncers, scripts that allow hackers to hide their real IP address, as well as denial-of-service bots.

The post added that some of the exploit attempts are relatively simple while others are more sophisticated, including attempts to gain persistence on compromised systems. Another technique is said to target firewalls protecting the targeted server to allow malicious software to be installed.

Rapid 7 Inc. threat analysis and security Researcher Tom Sellers confirmed the attacks were taking place. In an email sent to SiliconANGLE, he noted that their own observations included seemingly harmless commands as well:

Mirroring what the Talos team found, in addition to the attempts to spread malware, Rapid7 saw attackers running what we’d typically consider harmless commands. In the context of this vulnerability, however, we’d strongly caution that these “harmless commands” are in fact working to determine if a target is vulnerable. It’s well within the realm of possibility that we’re watching attackers work to understand the number of vulnerable hosts on the public Internet as an information gathering effort that is part of preparation for a later attack.

The good news is that a patch for the vulnerability has been issued.

“Network and system owners should review their environments for vulnerable hosts immediately,” Sellers added. “If you cannot upgrade immediately, you may wish to investigate other mitigation efforts, such as changing firewall rules or network equipment ALCs to reduce risk.”

Photo: John5199/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU