NOTICE: Critical Apache Struts vulnerability being actively exploited

Thursday, March 9, 2017

This information is intended for U-M IT staff who are responsible for university websites that use Apache Struts. Apache Struts is an open source framework used for building Java web applications. This information was sent to the IT Security Community and www-sig groups via email on March 9, 2017.

Summary: 

Hackers are actively exploiting a critical vulnerability in Apache Struts that allows them to take almost complete control of web servers running vulnerable Java web applications. If your website has a vulnerable Java application that was built with Apache Struts, it may already be compromised. The fix requires each web app that was developed with a vulnerable version of Apache Struts to be recompiled using a patched version.

Problem: 

Successful exploitation of this vulnerability could allow for remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Affected Versions: 

Apache Struts versions affected by the vulnerability include Struts 2.3.5 through 2.3.31, and 2.5 through 2.5.10. Servers running any of these versions should upgrade to 2.3.32 or 2.5.10.1 immediately. Apache Struts is an open source framework used for building Java web applications.

Action Items: 

We recommend the following actions be taken for applications that are vulnerable:

  • Upgrade quickly to one of the non-impacted versions of Adobe Struts (2.3.32 or 2.5.10.1), or follow the mitigation identified in the Apache documentation.
  • Verify that no unauthorized system modifications have occurred on the system before applying the patch.
  • Review application and server log data to check for unusual activity that may be an indication of compromise. Contact security@umich.edu if you believe the vulnerability was successfully exploited.

In general, we recommend that you validate type and content of uploaded data frequently. Also, run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

Threats: 

There are reports of this vulnerability being actively exploited in the wild. Exploit code is available, and exploitation attempts against University of Michigan systems are being detected.

Technical Details: 

A vulnerability has been discovered in Apache Struts that could allow for remote code execution. An attacker can exploit this issue by sending a malicious Content-Type value as part of a file upload request on Struts installations configured to use the Jakarta Multipart parser (CVE-2017-5638), the default Multipart parser for Struts 2. If the Content-Type value is not valid, an exception occurs, and an error message is displayed.

Information for Users: 

This vulnerability affects applications running on servers, so end users do not need to do anything specific in response. As always, users should exercise caution when visiting websites and providing personal information.