Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Security Java Apache Technology

Apache Servers Under Attack Through Easily Exploitable Struts 2 Flaw ( 63

Orome1 quotes a report from Help Net Security: A critical vulnerability in Apache Struts 2 is being actively and heavily exploited, even though the patch for it has been released on Monday. The vulnerability (CVE-2017-5638) affects the Jakarta file upload Multipart parser in Apache Struts 2. It allows attackers to include code in the "Content-Type" header of an HTTP request, so that it is executed by the web server. Almost concurrently with the release of the security update that plugs the hole, a Metasploit module for targeting it has been made available. Unfortunately, the vulnerability can be easily exploited as it requires no authentication, and two very reliable exploits have already been published online. Also, vulnerable servers are easy to discover through simple web scanning. "Struts 2 is a Java framework that is commonly used by Java-based web applications," reports SANS ISC in their blog. "It is also known as 'Jakarta Struts' and 'Apache Struts.' The Apache project currently maintains Struts." Cisco Talos also has a blog detailing the attack.
This discussion has been archived. No new comments can be posted.

Apache Servers Under Attack Through Easily Exploitable Struts 2 Flaw

Comments Filter:
  • by Anonymous Coward

    when did apache become something else than a webserver?

    • by raymorris ( 2726007 ) on Friday March 10, 2017 @08:17AM (#54011681) Journal

      In 1999 the Apache Foundation got Tomcat, given to them by Sun. That may have been Apache's first project other than httpd.

      What annoys me is that people I work with call all of the 50 or so different projects "Apache", without further specification. I'm well-versed in the Apache httpd code, I've contributed patches and I know configuration tricks and such. So when someone says "I'm having trouble with Apache" I go over to help, only to discover they're working on some Java thing.

    • Apache HTTPD - more commonly known as simply "Apache" is the flagship product of the Apache Foundation.

      But they took over the Tomcat J2EE server and spread out into an entire Java domain - "Jakarta".

      Jakarta Tomcat is now known as Apache Tomcat, however, and most of the other jakarta projects have been made into "apache" projects.

      And yes, as a Tomcat support person, I do find it annoying that clueless people will ask me questions about "apache" and the first thing I have do do is figure out which Apache they

      • the first thing I have do do is figure out which Apache they are talking about

        Reminds me of IBM Tivoli which has a host of unrelated things under one umbrella

        Other: "You do Tivoli, right?"

        Me: "Tivoli Monitoring, to be precise. Well, only ITM6 really, which is just rebadged Candle after they bought Candle out. I don't know much about previous versions."

        Other: "Whatever. There's this backup issue..."

        Me. "I think you'll find that's Tivoli Storage Manager. A completely unrelated product that I've never worked with."

    • Apache has Kafka, among others. But honestly Kafka is all we need now.
      • Kafka claims to be a streaming platform, and Struts claims to be an MVC framework. So, they serve different domains it would seem.

    • by quetwo ( 1203948 )

      Apache has over 300 projects now that they maintain. Tomcat, Jetty, Open Office, Flex, Cordova, ANT, CouchDB, Maven, Luceen, etc. are all Apache projects that are some of the more popular open-source projects out there. They started accepting projects in addition to httpd in the late 90's.

    • by rbowen ( 112459 )

      The Apache Software Foundation is now more than 300 projects. See []

  • by Anonymous Coward on Friday March 10, 2017 @08:51AM (#54011741)

    Seriously, the last thing I think of when someone says Apache Servers is Struts, Tomcat, Java or anything else but Apache HTTPD.

    Saying that "Apache Servers" are under "attack" and being exploited through a "Struts 2" flow is misleading to most of the world who does not know or care about Struts and just runs plain-jane websites.

  • by Anonymous Coward

    Had they used a good, strongly typed language like Java, instead of crappy C, this wouldn't have happened!

    Oh, wait...

  • by kiviQr ( 3443687 ) on Friday March 10, 2017 @08:58AM (#54011763)
    This is not Apache Server issue. It is Struts 2 (that is under Apache umbrella) .
  • Struts2 idiocy. (Score:4, Insightful)

    by prunus.avium ( 4301083 ) on Friday March 10, 2017 @11:56AM (#54012703)

    This is a lesson in sanitizing inputs.

    What happens is that the OGNL interpreter can get started with the HTTP headers as the input. Sepcifically the "Content-Type" header.

    Why anyone thought that using a full on interpreter to parse a string attribute was a good idea is beyond me.

    • by Cobron ( 712518 )
      Sorry, I have no mod points to spend because you're dead on.
      In fact, I'm getting a bit sick of all the frameworks trying to be as "dynamic" as possible with the wildcards and the matching and the auto-classpath-scanning and the watnot... Initial POCs are always easy but once the application grows it seems the complexity too, just because of all the "cool" knobs and dials you can tweak.
      ps: It seems ANY java web server on which struts 2 can run is impacted, the connotation with Tomcat is already far fetch
  • Ugh, this is misleading enough that the post should probably be corrected - how many Apache HTTPD users are having fits trying to figure out how to fix this "vulnerability" ??

To be a kind of moral Unix, he touched the hem of Nature's shift. -- Shelley