What You Need to Know About the Apache Struts Vulnerability – Updated

Post updated by:
Christian Lappin,
Threat Stack Senior Security Engineer & David WeinsteinThreat Stack Senior Security Engineer

Four months ago we wrote the following:

The Apache Struts “vulnerability is . . . extra-concerning because exploiting it is trivial. Hackers can easily spot vulnerable systems, the Struts exploits are publicly available, and the attack is easy to carry out and repeat. Attackers need to modify just one line of code to trick servers into downloading malicious binary from the internet.”

We warned about the Apache Struts vulnerability before the massive cyber attack that Equifax Inc. experienced — or at least before Equifax announced the breach to the public.

Since we wrote the above, the Equifax debacle has come to light, and so we thought it would be timely and appropriate to provide an update and to remind everyone about the need to be vigilant and to take adequate measures to prevent or mitigate damage.

Equifax Inc. became the object of a massive cyber attack because it failed to apply an available patch to a widely known critical vulnerability in a timely manner, resulting in the exposure of personal data on nearly half the U.S. population.

The Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was rated critical on the National Vulnerability Database (NVD) with a maximum score of 10.0. At the time the vulnerability was discovered, Apache issued warnings that the vulnerability could enable an attacker to perform a remote code execution attack.

On March 6, 2017, Apache released Struts version 2.3.32 and 2.5.10.1 which patched this vulnerability.

  • Equifax apparently failed to apply this patch and on July 29 — almost five months later — discovered a breach.
  • On September 7, they officially alerted the public in a statement that acknowledged the breach, attributing it to criminals exploiting the Apache Struts vulnerability.

Lessons Learned?

While it is not possible to prevent all attacks, three things are painfully obvious. It is essential to:

  • Take stock and make sure your organization has a cybersecurity risk reduction plan and is successfully executing on it. A plan is not effective unless it is used.
  • Take Common Vulnerabilities and Exposures (CVEs) seriously and apply appropriate patches as quickly as possible.
  • Make sure you have tools in place that continuously monitor your workloads and alert you to suspicious activity in time to prevent or mitigate damage or loss to your company.

Original Blog Post

And with that, we encourage you to re-read the original blog post: What You Need to Know About the Apache Struts Vulnerability.
New vulnerabilities are discovered on a regular basis, and some receive quite a bit of publicity, while others fly under the radar. The latter situation can open up extensive opportunities for attackers to exploit these vulnerabilities.

A good example of one that has been “out” for quite a while without receiving much attention in the media (and thus from organizations that may be affected) is the Apache Struts vulnerability. Today, we’d like to take a look at what it is, why it’s worthy of attention, and what you can do to protect your organization.

The Apache Struts Vulnerability: What it is and Why it Matters

Apache is the most widely distributed web server in the world. The majority of the internet’s websites are run on it. Struts, in turn, is an Apache-based open source framework for building Java web apps. It’s quite popular with large tech companies, government agencies, and financial institutions. 

In March 2017, it was discovered that Apache Struts had a serious vulnerability, and since then it has been attacked in the wild on an active basis. The flaw resides specifically in the Jakarta Multipart parser upload function in Apache. Basically, it lets attackers craft malicious requests for Apache web servers, which are then able to execute on users’ systems.

Because it is such a widespread technology, the Apache Struts vulnerability has the potential to impact many organizations, and the potential fallout is dire. The attacks could be even more severe for organizations running their Apache web servers as root (not a best practice.)

This vulnerabiity is also extra-concerning because exploiting it is trivial. Hackers can easily spot vulnerable systems, the Struts exploits are publicly available, and the attack is easy to carry out and repeat. Attackers need to modify just one line of code to trick servers into downloading malicious binary from the internet.

The ubiquity of Apache, combined with the simplicity of executing this attack, makes it one worth paying attention to and actively protecting against.

How to Protect Against the Apache Struts Vulnerability

As far as this specific vulnerability is concerned, the Struts versions affected are:

  • 2.3.5
  • 2.3.31
  • 2.5
  • 2.5.10

Network administrators should immediately upgrade to 2.3.32 or 2.5.10.1 to ensure that their systems are patched against it. You can also switch to a different implementation of the parser.

However, patching isn’t always as straightforward as it sounds, since web apps may need to be rebuilt. Older apps might even have to be brought back from the dead to ensure that they aren’t offering a weak point for attackers.

It’s a good idea to get those patches done as quickly as you can, but patching quickly is not always easy or possible, especially for critical or public-facing servers. Because of this, having a real-time host-based intrusion detection system (HIDS) is important to detect these attacks when they are in their zero-day states and beyond.

Why HIDS is a Key Line of Defense

Even if you are not vulnerable to this particular type of attack, it’s a good idea to use it as an excuse to evaluate your intrusion detection capabilities. Every organization needs to have a real-time intrusion detection platform in place to protect against the likelihood that more vulnerabilities, and therefore attacks, like this will be launched in the future.

The primary value of host-based intrusion detection monitoring is that it allows you to use behavior-based indicators to immediately catch suspicious events. With a solution like Threat Stack’s intrusion detection platform, out-of-the-box rulesets will alert you to common security events, like abnormal (or any) commands run by your Apache service user, unexpected system modifications, or anomalous connections to known command and control servers.

Baselining your system will give you a clear sense of what is “normal” for your environment, and then HIDS can be put to work catching any anomalies in real-time when they arise, not days or even hours later, after they’ve already had a chance to wreak havoc.

If you have Threat Stack installed, there’s no need to worry about the Apache vulnerability or similar ones in future, even in their zero-day state. The Threat Stack platform will alert you if there is unexpected activity in your environment, so you can respond quickly and effectively.

Final Words . . .

While the Apache vulnerability was somewhat surprising with its widespread nature and the lack of media attention, it’s safe to say that there are plenty more like it lurking in the wings, ready to make their debut, or maybe already being exploited.

Patching systems that can be patched and putting in place a robust HIDS capability will allow you to go about your business without worrying that the next Heartbleed or Shellshock or Apache Struts vulnerability will torpedo your organization.

If you would like to learn more about Threat Stack’s real-time, host-based intrusion detection (HIDS) capabilities and other cloud security functionality, please contact us for a demo.

See Threat Stack in Action

Get in touch for a demo of Threat Stack's comprehensive instrusion detection platform.

Request a Demo