Vulnerability in Apache Struts 2 allows hacking web servers

Researchers discover Remote Code Execution vulnerability in Apache Struts 2

Apache Struts 2 remote code execution vulnerability detected

Security researchers just detected yet another major vulnerability in Apache Struts 2[1]. The detected security flaw allows hackers to perform a remote code execution[2], which is probably the most dangerous vulnerability that can be detected in software.

Apache Struts 2 is an open-source framework designed to develop web applications using Java programming languages. The framework is extremely popular, which means that many apps created using it are vulnerable.

According to researchers from lgtm (they were the ones who discovered the vulnerability), all Struts versions starting from 2008 contain this security flaw. The same can be said about every web application that uses Apache Strut 2 framework’s REST plugin.

The code of this vulnerability is CVE-2017-9805[3]. According to the researchers who made the discovery, it gives an attacker a possibility to execute any code on the target server remotely. The criminal simply needs to send a criminal XML code in a particular form to enable the vulnerability on the destination server.

The only condition is that the server has to run an app created using Apache Struts framework and REST plugin. The plugin uses XStream for deserialization and doesn’t use any kind of filtering, which can possibly lead to Remote Code Execution when deserializing malicious XML scripts.

As a result, the hacker might get full access to the server and infiltrate other computers on the same network.

Apache Struts vulnerabilities can be used to infect servers with ransomware

Vulnerabilities in Apache Struts 2 is something that excites cyber criminals. In the past, flaws in this popular web application framework were exploited by Cerber virus’ distributors[4], allowing to inject the malicious virus to servers and encrypt all files on them.

Cerber developers were quick to exploit the CVE-2017-5638 vulnerability in Apache Struts to deliver ransomware to servers. They started operating soon after the release of patch and proof-of-concept exploit. Researchers noticed first attacks at the end of March 2017.

The criminals reportedly leveraged the vulnerability to execute shell commands on the target servers. Besides, they ran BITSAdmin and several other command-line utilities. As a result, Cerber ransomware was downloaded and executed on target systems.

Beware that Arena and Lukitus viruses are on a rise nowadays, so their distributors might attempt to leverage the vulnerability, says[5] experts.

Upgrade to the new version to secure your system

Researchers who discovered the flaw immediatelly reached out to the Apache Software Foundation and reported the issue. Shortly after, the company released 2.5.13 version of Apache Struts that contains a patch for the described Remote Code Execution vulnerability.

The only solution to the specified problem is to upgrade to Apache Struts version 2.5.13. There is no workaround available, so rush to upgrade their AS2 installations.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions