A critical remote code execution vulnerability patched earlier this week in the Apache Struts 2 open-source development framework is already being exploited in the wild.
The flaw, tracked as CVE-2017-9805, affects applications that use the REST plugin with the XStream handler for XML payloads, and it exists due to the way Struts deserializes untrusted data. An exploit and a Metasploit module for the vulnerability were created within hours after the patch was released.
lgtm, the company that discovered the flaw, warned that at least 65 percent of Fortune 100 companies use Struts and they could all be exposed to remote attacks due to this vulnerability.
However, Contrast Security, which provides protection against these types of exploits, said only less than one percent of its customers’ Java applications use the problematic REST plugin. Furthermore, data from the Maven repository shows that less than a dozen applications use this plugin.
Nevertheless, security firms have already started seeing exploitation attempts. Cisco Talos and Belgium-based NVISO Labs both spotted attacks whose apparent goal was to find vulnerable servers. The attacks spotted by these companies involved a Russian website sending the requests and receiving the results of the exploitation attempt.
Cisco has also observed attacks whose goal was to deliver a potentially malicious file. Researchers were unable to determine what payload had been served, but based on previous Apache Struts attacks, they believe it was likely DDoS bots, spam bots or other malware.
“Within 48 hours of disclosure we were seeing systems activity exploiting the vulnerability. To their credit the researchers disclosed the vulnerability responsibly and a patch was available before disclosure occurred,” explained Cisco’s Nick Biasini. “However, with money at stake bad guys worked quickly to reverse engineer the issue and successfully develop exploit code to take advantage of it. In today’s reality you no longer have weeks or months to respond to these type of vulnerabilities, it’s now down to days or hours and every minute counts.”
CVE-2017-9805 was patched by Apache Struts developers with the release of version 2.5.13, which also addresses a couple of less severe denial-of-service (DoS) vulnerabilities tracked as CVE-2017-9804 and CVE-2017-9793.
Cisco informed customers on Thursday that it’s working to determine which of its products are affected by these flaws. At the time of publication, only Cisco Emergency Responder is impacted, but not by the critical remote code execution weakness. The previously exploited Apache Struts 2 vulnerability, tracked as CVE-2017-5638, affected more than 20 Cisco products.
In the meantime, Struts developers released another update, version 2.3.34, which addresses an additional remote code execution vulnerability tracked as CVE-2017-12611. However, this vulnerability, related to Freemarker tags, has been classified as having moderate severity.