Apache Struts is a free, open source framework for creating Java web applications. It’s widely used to build corporate websites in sectors including education, government, financial services, retail and media.

In early March 2017, Apache released a patch for the Struts 2 framework. The patch fixes an easy-to-exploit vulnerability that allows attackers to execute random code by the web server. A Metasploit module was released very soon afterwards, making it fairly easy for miscreants to abuse the vulnerability.

The disclosure of the Struts 2 vulnerability, which was listed as CVE 2017-5638, along with the easy access to a module to compromise vulnerable systems, made it a very lucrative target for cybercriminals. Furthermore, the exploits available work on both Windows and Linux systems.

This is not the first time we witnessed attacks towards the Struts framework: Back in 2014, there was CVE-2014-0094.

Inside the Struts 2 Vulnerability

The vulnerability, located in the Jakarta Multipart parser, allows unauthenticated attackers to run arbitrary remote code on a vulnerable server. An attacker can exploit the flaw by sending an invalid value that causes the software to throw an exception. Instead of merely displaying the cause of the exception, the code that was added by the attacker in the request gets executed.

This means an attacker can send a faulty code sample to the vulnerable application. When the framework then tries to display the error, the code added by the attacker is executed as the system user running the framework. As such, systems that run the framework as a super user will suffer more from a successful exploit.

The versions of Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before are deemed vulnerable. It’s important to note that the vulnerability is not related to the numerous issues reported in the Java runtime environments on end-user workstations.

Attackers can make use of this vulnerability in multiple ways. They can, for example:

  • Use the vulnerable systems to be part of a network to distribute different types of malware and spam, which could potentially put your system on a blacklist;
  • Disrupt the vulnerable system, causing financial or reputation loss for the system owners; and
  • Use the system as an attack point to move laterally within the organization, causing havoc on your systems.

Disruption has been demonstrated through reports of the Struts exploit installing ransomware on vulnerable systems, rendering them unusable and the data inaccessible. The payload that gets installed is a flavor of the Cerber ransomware.

Prioritizing Patch Management

What should you do to remediate this threat? In short, patch. According to the Apache security advisory, you should upgrade to Struts 2.3.32 or Struts The advisory also suggested switching to a different implementation of the Multipart parser and listed a number of workarounds to validate the submitted requests, thus bypassing the vulnerable code.

Regardless of your approach, the disclosure of this vulnerability stressed the need to set up a proper patch management process within your organization. A good patch management process starts with knowing your assets and having an up-to-date inventory of your infrastructure. Once your network becomes more complex, you will need more than a simple spreadsheet to keep track of all your assets. The inventory, or asset directory, should be kept updated through automation.

The asset discovery service can alert you to changes within your infrastructure. Once a change has been found, you can start the vulnerability management process to scan the new or changed asset and receive a report of any found vulnerabilities. The whole process of discovering new assets, scanning them and reporting findings has to be automatic and continuous to be most effective.

Of course, simply knowing what vulnerabilities exist in your environment does not resolve them. You cannot patch everything at once, so you will need to set priorities by considering a combination of business and technical decisions. Define what is important to your business and assess the potential impact of system downtime.

You should also take into account the actual severity of a vulnerability. There are a number of scoring mechanisms that you can use to calculate the severity, such as the Common Vulnerability Scoring System (CVSS). Every organization must determine its thresholds for prioritizing a patch cycle. An organization might declare, for example, that everything above CVSS 8.0 must be patched within one week.

Finally, remember to validate that a patch has been properly applied and the system is no longer vulnerable.

Learning to Love Layered Security

Unfortunately, not every vulnerability is immediately patched by the vendor. Sometimes it takes time to come up with a patch, sometimes the product is no longer supported and sometimes the patch interferes with your business requirements.

Even when a patch is available, you may not have the required resources to immediately apply it. This means that although your vulnerability management process indicates that an asset in your environment requires patching, your process cannot apply the necessary measures.

This is where layered security and best practices can help to mitigate the exposure of such a vulnerability and, eventually, prevent exploitation. This is no substitute for patching, but it can buy you some valuable time. To stay in line with these layers of security, you should:

  • Use the principle of least privilege and do not run processes as a super user.
  • Apply a whitelisting strategy for allowed applications.
  • Use firewalls, antimalware and antivirus solutions, both on the systems and the network layer.
  • Apply proper inbound and outbound filtering rules.
  • Make sure there are tested backups and assume that you will need these backups to recover from hardware and software failures.
  • Use encryption, both in transit and for storage.
  • Use a filtering device that can implement so-called virtual patching.
  • Make use of intrusion detection or prevention systems.

Monitor, Detect and Respond

An intrusion detection or prevention system can help you to monitor your environment and block possible attacks. These systems do have their limits, however, and attackers can sometimes bypass them. It is important to monitor the behavior of your systems and establish a baseline of normal behavior.

Logging should take into account all the possible event sources available, going from application and system sources to user data and network information. Combining this information with a proper analysis process allows you to detect incidents and respond to them. The incident response process should not happen in an ad-hoc modus; it requires a well-defined playbook that allows you to detect the incident, collect incident indicators, mitigate the consequences, eradicate the source and recover from the event.

Once the incident has been dealt with, you can use the notes taken during it to extract lessons learned and improve the entire process. This enables you to provide input to other processes on what could have been improved and survey what security controls need a review or update. These insights are critical in the endless battle against threats such as the Apache Struts 2 vulnerability.

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…