Cisco Blogs
Share
tweet

Content-Type: Malicious – New Apache Struts2 0-day Under Attack

- March 8, 2017 - 2 Comments

This Post Authored by Nick Biasini

UPDATE: It was recently disclosed that in addition to Content-Type being vulnerable, both Content-Disposition and Content-Length can be manipulated to trigger this particular vulnerability. No new CVE was listed, however details of the vulnerability and remediation are available in this security advisory.

Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, referenced in this security advisory. Talos began investigating for exploitation attempts and found a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands (i.e. whoami) as well as more sophisticated commands including pulling down a malicious ELF executable and execution.

With exploitation actively underway Talos recommends immediate upgrading if possible or following the work around referenced in the above security advisory.

Read More >>

Tags:

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

2 Comments

    really interesting Nick to see examples of actual attacks, and how Cisco can identify them.

    Waoh!. Upgrade must be done quickly. Thank you

Share
tweet