Akamai Diversity
Home > Web Security > Vulnerability found in Apache Struts

Vulnerability found in Apache Struts

On Monday, March 6th, the Apache team patched a vulnerability in Apache Struts2 framework.   Apache Struts is an open-source web application framework for developing Java web applications.  The vulnerability exists in the Jakarta Multipart parser, which can be tricked into executing attacker-provided OGNL code. The impacted versions are 2.3.5 through 2.3.31, and 2.5 through 2.5.10 of the Apache Struts framework.  If you are currently running an affected version of the software, malicious users could execute code on the system remotely by using a maliciously crafted Content-Type header.  Successful exploitation does not require the user to be authenticated. Apache has classified the vulnerability as a "possible remote code execution"; however, the vulnerability is easy to exploit and allows code to be executed using the user context of the account running the Tomcat server. At least two working exploits have been seen in the wild already.

For more detailed information on the vulnerability please refer to Apache's advisory: https://cwiki.apache.org/confluence/display/WW/S2-045

Exploits are publicly available and successful exploitation of this vulnerability has been observed in the wild.

What You Can Do Now

Upgrading Apache Struts to version 2.3.32 or 2.5.10.1 will fix the current vulnerability. If upgrading the version of Apache Struts is not possible, users can add a servlet filter to validate the Content-Type header to ensure only valid values such as "multipart/form-data" are used and to deny requests that do not comply. Another solution is to implement a WAF rule to filter requests based on Content-Type. You can also switch to a different implementation of the Multipart parser. It should be noted that the existence of the vulnerable library is enough to expose the vulnerability; the web application doesn't necessarily need to implement file upload functionality for this vulnerability to be exploited.

How Akamai Protects You

The recommended mitigation is to apply the latest patches for this vulnerability as referenced above.  In the interim, Akamai encourages you to enable WAF Rule 960010 in DENY mode. This rule completely blocks CVE-2017-5638 by using a strict whitelist of allowed values for the Content-Type header.

If you would like to test the rule, you can copy it into a new custom rule. That new custom rule can then be activated in ALERT mode. If your website requires Content-Types not whitelisted by rule 960010, please contact your account team for support in creating a custom rule that addresses the needs of your environment. If you have any questions about these rules, do not hesitate to reach out to your account manager for clarification.

Conclusion

If your site utilizes Apache's Struts2 framework, you may be at risk. This includes sites that rely on third-party inclusions from sites that use Struts applications. If you're using Struts2 for any aspect of your web presence and want to know more, Apache has disclosed the details of vulnerability here: https://cwiki.apache.org/confluence/display/WW/S2-045

System administrators and owners should protect and patch any vulnerable Struts instances as soon as possible, as described above. This vulnerability is easy to exploit and attempts at doing so have risen dramatically in the past few hours.

Leave a comment