Researchers have uncovered hackers actively exploiting a code-execution bug residing in the Apache Struts 2 web application framework—potentially affecting tens of thousands of applications throughout the internet.
Apache Struts2 is an open-source web development framework for Java web applications. It's widely used to build corporate websites in sectors including education, government, financial services, retail and media. Cisco Talos observed in-the-wild attacks that permit unauthenticated remote code execution (RCE), which allows attackers to either probe and exfiltrate data; or distribute malware. Cisco said that the payloads being delivered vary considerably.
Using its Project Heisenberg honeypot research network, Rapid7 meanwhile has seen some exploitation of the vulnerability to run "harmless" commands such as whois, ifconfig, and a couple variations that echoed a value. Though the commands weren't destructive, they may be part of a research effort to understand the number of vulnerable hosts on the public Internet or an information gathering effort as part of preparation for a later attack.
“In the context of this vulnerability, we’d strongly caution that these ‘harmless commands’ are in fact working to determine if a target is vulnerable,” said Tom Sellers, threat analysis and security researcher at Rapid7. “It’s well within the realm of possibility that we’re watching attackers work to understand the number of vulnerable hosts on the public internet as an information gathering effort that is part of preparation for a later attack.”
The majority of the exploitation attempts of the bug seem to be leveraging a publicly released proof of concept (PoC) that is being used to run various commands, according to researchers.
Veracode CTO and co-founder Chris Wysopal, who dubbed the flaw Struts-Shock, noted that this type of coding problem can have vast consequences. The extensive use of components can cause a vulnerability to become widespread. What once would have been isolated to a single application, now can impact tens of thousands of applications.
“Open-source and third-party components like Apache Struts 2 are a vital part of software development, yet the lack of visibility into the use of these components represents a systemic risk to the digital economy,” he said via email. “In this case, anyone using the vulnerable versions of Apache Struts 2 is at risk to fall victim to the Struts-Shock vulnerability. The challenge with Struts-Shock, which is a command injection vulnerability, is that it is not dependent on any class or codepath, making it an increasingly more widespread issue. While a patch was made available on Monday, we expect to see a long tail of companies remaining vulnerable because they can’t find where they are using the component.”
Network and system owners should review their environments and upgrade all vulnerable hosts, which unfortunately is easier said than done.
“Patching a vulnerability in a component used in web development requires the development team to recompile the applications,” Wysopal said. “This can delay the time it takes to get the vulnerability remediated. In addition, many vulnerable applications may have been finished and have not seen development for years. This means customers not only need to identify those apps but need to find the original code and rebuild the applications with the fixed Struts 2 component. This is what happened with Heartbleed, and we can expect to see the same thing again.”
If they cannot upgrade immediately, administrators should investigate other mitigation efforts, such as changing firewall rules or network equipment ALCs to reduce risk, and avoid exposing services to public networks if at all possible.