Sean Michael Kerner of eWeek writes:
An easy to exploit remote code execution flaw discovered in the widely used open-source Apache Struts 2 framework has been patched, but that’s not stopping attackers from attempting to exploit vulnerable systems.
The open-source Apache Struts 2 technology is a widely used framework component in Java applications and it’s currently under attack. The attacks follow the March 6 disclosure by the Struts project for a Remote Code Execution (RCE) vulnerability identified as CVE-2017-5638.
The CVE-2017-5638 issue was patched the same day as the Struts project made the disclosure, though multiple security firms have observed that attackers are actively going after unpatched systems.
“It is possible to perform a RCE attack with a malicious Content-Type value,” the Apache Struts project warns in its advisory. “If the Content-Type value isn’t valid, an exception is thrown which is then used to display an error message to a user.”
John Matthew Holt, Waratek Founder and CTO, commented in an email statement, that the Struts vulnerability is critical because the attack can be achieved without authentication. To make matters worse, web applications don’t necessarily need to successfully upload a malicious file to exploit this vulnerability, as just the presence of the vulnerable Struts library within an application is enough to exploit the vulnerability.
“For users who have made custom changes on Struts source code, it could take days or weeks to upgrade,” Holt stated.