Strutshock: Apache Struts 2 Remote Code Execution

NOTE: Tinfoil’s web application scanner now looks for Strutshock! Sign up and start a free trial here. We also have a checker for only Strutshock here. Simply input your URL to see if you are vulnerable.

If you’ve been keeping up with the security community lately, you’ve probably heard about the Struts 2 vulnerability (CVE-2017-5638) announced by Apache a couple days ago. This allows for remote code execution due to improper handling of the Content-Type header by the Jakarta Multipart parser. Thus, an attacker can gain full access to and control of any information stored on a server.

How is this being exploited?

When an invalid Content-Type header is parsed by the Jakarta Multipart Parser, an exception is raised. The raised exception includes the invalid Content-Type header in the message. Unfortunately, if the header includes OGNL (Object Graph Navigation Language), the OGNL is evaluated before being returned. This allows an attacker to execute arbitrary code in the exception handler.

Who is affected?

Anyone currently using Apache Struts 2.3.5 - Struts 2.3.31 or Apache Struts 2.5 - Struts 2.5.10. If you’re not sure whether or not you’ve been affected, we’ve included our Strutshock test, for anyone, as part of our free trial once you’ve verified ownership of your website.

What should I upgrade to?

Upgrade to Apache Struts 2.3.32 or Apache Struts

I can’t upgrade right now, is there a workaround?

Yes, two workarounds were recently published on the Apache Struts 2 documentation. However, we highly suggest upgrading to a patched version as soon as possible.

Why was there an increase in attacks after the patch?

When the patch was released on March 6, less than a day later, a GitHub issue was opened on Rapid7’s Metasploit framework, an open source project, that included sample code allowing anyone to exploit the vulnerability. According to Cisco Talos, this resulted in immediate exploitation, and the rate of exploitation has remained steady since. If the severity doesn’t worry you, the fact that this attack is easy to reproduce and incredibly widespread should.

Lily Sellers

Lily is our Software Sorceress, and joined Tinfoil after graduating from UIUC with a degree in Computer Science & Statistics. When she's not building or breaking software, she's communicating directly with our users and building integrations to make our tools more developer-friendly. In her free time she enjoys playing point and click adventure games and MMORPGs.