Apache Servers Under Attack Through Easily Exploitable Struts 2 Flaw (helpnetsecurity.com) 63
Orome1 quotes a report from Help Net Security: A critical vulnerability in Apache Struts 2 is being actively and heavily exploited, even though the patch for it has been released on Monday. The vulnerability (CVE-2017-5638) affects the Jakarta file upload Multipart parser in Apache Struts 2. It allows attackers to include code in the "Content-Type" header of an HTTP request, so that it is executed by the web server. Almost concurrently with the release of the security update that plugs the hole, a Metasploit module for targeting it has been made available. Unfortunately, the vulnerability can be easily exploited as it requires no authentication, and two very reliable exploits have already been published online. Also, vulnerable servers are easy to discover through simple web scanning. "Struts 2 is a Java framework that is commonly used by Java-based web applications," reports SANS ISC in their blog. "It is also known as 'Jakarta Struts' and 'Apache Struts.' The Apache project currently maintains Struts." Cisco Talos also has a blog detailing the attack.
Re: FP! (Score:2, Insightful)
Whoever chose struts 2 back then probably deserve it
Re: FP! (Score:4, Insightful)
Whoever chose struts 2 back then probably deserve it
Maybe not for the 6 months in which it was relevant, but for the 13[1] years where all java sweatshops kept on using that piece of shit yes, they deserve it.
[1]not a precise number
Re: FP! (Score:2)
I looked at struts2 back in my enterprise java days. There was way too much automagic driven by rails envy where it was doing very dynamic things magically based on the request. Lots of stuff where the request would become a very complex java object that would interact with automagic libraries to do dangerous things and you just had to trust their weren't any exploits. I decided to use json servlets and single page web app frameworks instead.
Re: (Score:2)
As long as it is clearly documented what it will do, and you know what precisely what it will having it automatically do things isnt necessarily bad, can save time, as long as finer grain control is allowed. If it is poorly documented and does unexpected things, this is pretty bad. Allowing a system command to be run is a pretty nasty undocumented automatic behaviour.
perspective (Score:2)
Whoever chose struts 2 back then probably deserve it
Maybe not for the 6 months in which it was relevant, but for the 13[1] years where all java sweatshops kept on using that piece of shit yes, they deserve it.
[1]not a precise number
Struts 2 is fine. It works fine. It with JSP/JSTL is all you ever need in the general case. Everything else is sugar (except few problem domains where you truly need something new.) I like Vaadim and Stripes, but I've seen enough sites VERY WELL built with plain old Struts and JPS/JSTL to know it is the wielder, not the tool.)
If you have a decently built system that runs well on Struts, why change it? Just to try something new? That's not engineering, that's playing on someone else's dime.
Every damned s
Re: (Score:2)
Struts was the only thing available for a long time back in the dark ages of J2EE. So a lot of smart people were drawn into doing stupid things because that was the only thing available.
By the time Struts 2 came about it was about the time most smart people realised how stupid the whole J2EE thing was and abandoned it and starting trying out better things. Most stupid people went on to Struts 2.
That's an axiomatic, self-fulfilling statement. Congratulations.
Re: (Score:2)
dude.... you are confusing Struts and Struts 2. They have nothing in common but the name.
No, I just never cared to call them Struts and Struts 2. Both are fine, having worked on them both. I can see why why my lazy wording would confuse people, though.
Re: (Score:2)
I think you just admitted you fall under the "you deserve it" and "stupid people" categories as pointed out by the various posters above.
I'll say yes to that if it makes you feel... I dunno, accomplished? Sure, go for it, you win.
Re: (Score:2)
What would you recommend instead?
Re: (Score:2)
I acknowledge that it's not for everyone, but I'm really enjoying Vaadin [vaadin.com] right now.
Re: (Score:2)
uh (Score:1)
when did apache become something else than a webserver?
1999 was Apache Tomcat. Maybe earlier (Score:5, Insightful)
In 1999 the Apache Foundation got Tomcat, given to them by Sun. That may have been Apache's first project other than httpd.
What annoys me is that people I work with call all of the 50 or so different projects "Apache", without further specification. I'm well-versed in the Apache httpd code, I've contributed patches and I know configuration tricks and such. So when someone says "I'm having trouble with Apache" I go over to help, only to discover they're working on some Java thing.
Re:1999 was Apache Tomcat. Maybe earlier (Score:4, Funny)
Re: (Score:3)
Apache HTTPD - more commonly known as simply "Apache" is the flagship product of the Apache Foundation.
But they took over the Tomcat J2EE server and spread out into an entire Java domain - "Jakarta".
Jakarta Tomcat is now known as Apache Tomcat, however, and most of the other jakarta projects have been made into "apache" projects.
And yes, as a Tomcat support person, I do find it annoying that clueless people will ask me questions about "apache" and the first thing I have do do is figure out which Apache they
Re: (Score:2)
the first thing I have do do is figure out which Apache they are talking about
Reminds me of IBM Tivoli which has a host of unrelated things under one umbrella
Other: "You do Tivoli, right?"
Me: "Tivoli Monitoring, to be precise. Well, only ITM6 really, which is just rebadged Candle after they bought Candle out. I don't know much about previous versions."
Other: "Whatever. There's this backup issue..."
Me. "I think you'll find that's Tivoli Storage Manager. A completely unrelated product that I've never worked with."
Re: (Score:2)
I thought that was supposed to be WebSphere.
Re: (Score:2)
Re: (Score:2)
Kafka claims to be a streaming platform, and Struts claims to be an MVC framework. So, they serve different domains it would seem.
Re: (Score:2)
Apache has over 300 projects now that they maintain. Tomcat, Jetty, Open Office, Flex, Cordova, ANT, CouchDB, Maven, Luceen, etc. are all Apache projects that are some of the more popular open-source projects out there. They started accepting projects in addition to httpd in the late 90's.
Re: (Score:2)
The Apache Software Foundation is now more than 300 projects. See https://projects.apache.org/ [apache.org]
Last link in the summary includes Windows payload (Score:3)
The last link in the summary (Cisco Talos) includes a Windows payload.
Click-bait headlines (Score:4, Insightful)
Seriously, the last thing I think of when someone says Apache Servers is Struts, Tomcat, Java or anything else but Apache HTTPD.
Saying that "Apache Servers" are under "attack" and being exploited through a "Struts 2" flow is misleading to most of the world who does not know or care about Struts and just runs plain-jane websites.
Wrong language! (Score:1)
Had they used a good, strongly typed language like Java, instead of crappy C, this wouldn't have happened!
Oh, wait...
This is not Apache Server issue - just Struts 2! (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
What do you recommend? C/C++ programs facing the internet? I dont think there exists many large C/C++ programs that have not had severe buffer overflows. PHP/Perl/Ruby etc with their automatic memory management are relatively safe by comparison.
PHP has massively improved (Score:2)
I used to talk like that about PHP. PHP has greatly improved over the years.
Better than moldy coffee grounds and Balmer's hole (Score:2)
Yes, it's now slightly less stinky than something that resembles moldy coffee grounds left in the coffee maker over the holidays, or Balmer's ass hole.
It seems all programming languages suck. C, after decades of careful revision, is well suited to certain tasks, but not the tasks that most of us do most of the time.
Struts2 idiocy. (Score:4, Insightful)
This is a lesson in sanitizing inputs.
What happens is that the OGNL interpreter can get started with the HTTP headers as the input. Sepcifically the "Content-Type" header.
Why anyone thought that using a full on interpreter to parse a string attribute was a good idea is beyond me.
Re: (Score:1)
In fact, I'm getting a bit sick of all the frameworks trying to be as "dynamic" as possible with the wildcards and the matching and the auto-classpath-scanning and the watnot... Initial POCs are always easy but once the application grows it seems the complexity too, just because of all the "cool" knobs and dials you can tweak.
ps: It seems ANY java web server on which struts 2 can run is impacted, the connotation with Tomcat is already far fetch
Post should be fixed for unwitting httpd users (Score:1)
Ugh, this is misleading enough that the post should probably be corrected - how many Apache HTTPD users are having fits trying to figure out how to fix this "vulnerability" ??