Researchers just discovered a bug that has made Fortune 100 companies vulnerable to simple hacks since 2008.
Apache Software Foundation has patched a remote code execution vulnerability affecting the Jakarta Multipart parser in Apache Struts. Administrators need to update the popular Java application framework or put workarounds in place because the vulnerability is actively being targeted in attacks.
The issue affects Apache Struts versions 2.3.5 through 2.3.31 and versions 2.5 through 2.5.10. The presence of vulnerable code is enough to expose the system to attack—the web application doesn’t need to implement file upload for attackers to exploit the flaw, said researchers from Cisco Talos.
The vulnerability relates to how Struts parses that kind of data and converts it into information that can be interpreted by the Java programming language. When the vulnerability is successfully exploited, malicious code can be hidden inside of such data, and executed when Struts attempts to convert it.
That means intruders could easily inject malware into web servers, possibly without being detected, and use it to steal or delete sensitive data, or infect computers with ransomware, among other things.
“Struts is used in several airline booking systems, as well as a number of financial institutions who use it in internet banking applications,” according to Man Yue Mo, a researcher at lgtm. “On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser. Organizations who use Struts should upgrade their components immediately.”
The researchers have also seen malicious attacks which turn off firewall processes on the target and drop payloads: “The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the bill gates botnet”.
CVE-2017-5638 is documented at Rapid7’s Metasploit Framework GitHub site.