Remote Code Execution in Apache Struts 2 via File Upload Headers
The Jakarta Multipart parser in Apache Struts 2 versions 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has a flaw in handling exceptions and error messages during file uploads. This lets remote attackers run any command using a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. In March 2017, attackers exploited this with a Content-Type header containing a #cmd= string in the wild.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache struts |
||
ibm storwize v3500 firmware 7.7.1.6 |
||
ibm storwize v3500 firmware 7.8.1.0 |
||
ibm storwize v5000 firmware 7.7.1.6 |
||
ibm storwize v5000 firmware 7.8.1.0 |
||
ibm storwize v7000 firmware 7.7.1.6 |
||
ibm storwize v7000 firmware 7.8.1.0 |
||
lenovo storage v5030 firmware 7.7.1.6 |
||
lenovo storage v5030 firmware 7.8.1.0 |
||
hp server automation 9.1.0 |
||
hp server automation 10.0.0 |
||
hp server automation 10.1.0 |
||
hp server automation 10.2.0 |
||
hp server automation 10.5.0 |
||
oracle weblogic server 10.3.6.0.0 |
||
oracle weblogic server 12.1.3.0.0 |
||
oracle weblogic server 12.2.1.1.0 |
||
oracle weblogic server 12.2.1.2.0 |
||
arubanetworks clearpass policy manager |
||
netapp oncommand balance - |
Cryptojacking campaign we have dubbed Beapy is exploiting the EternalBlue exploit and primarily impacting enterprises in China.
Posted: 24 Apr, 20196 Min ReadThreat Intelligence SubscribeFollowtwitterfacebooklinkedinBeapy: Cryptojacking Worm Hits Enterprises in ChinaCryptojacking campaign we have dubbed Beapy is exploiting the EternalBlue exploit and primarily impacting enterprises in China.Beapy is a cryptojacking campaign impacting enterprises that uses the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks. Beapy act...
During an incident response performed by Kaspersky’s Global Emergency Response Team (GERT) and GReAT, we uncovered a novel multiplatform threat named “NKAbuse”. The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities. Written in Go, it is flexible enough to generate binaries compatible with various architectures. Our analysis suggests that the primary target of NKAbuse is Linux desktops. ...
Update, update, update. Plus: Flash, Struts, Drupal also make appearances Sadly, 111 in this story isn't binary. It's decimal. It's the number of security fixes emitted by Microsoft this week
Vulnerabilities in Microsoft Windows, Office, and Windows Server, for which patches have been available for years, continue to be the favorite target for hackers looking to spread malware. A list posted by US-CERT this week rattles off the 10 most oft-targeted security vulnerabilities during the past three years, and finds that, shock horror, for the most part, keeping up with patching will keep you safe. Microsoft ranks highly in the list because its software is widely used, and provides the mo...
Underground forums alight with Struts chat, we hear Apache's latest SNAFU – Struts normal, all fscked up: Web app framework needs urgent patching Equifax's disastrous Struts patching blunder: THOUSANDS of other orgs did it too
A recently uncovered critical vulnerability in Apache Struts is already being exploited in the wild. Threat intel firm Volexity has warned that hackers are abusing the CVE-2018-11776 vuln to attack systems running Apache Struts 2, a popular open-source framework for developing applications in Java. Specifically, some nasty characters have abused the flaw while trying to install the CNRig cryptocurrency miner, researchers said. The vulnerability appears to be easier to exploit than the Struts fla...
Your personal data was probably already in crims' hands
The United States Internal Revenue Service has said that citizens affected by the Equifax breach need not panic, because it probably didn't reveal anything that hasn't already been stolen and the agency has tooled up to deal with fraudulent tax claims. Commissioner John Koskinen, discussing whether the breach would interfere with tax collection, told journalists “a significant percent of those taxpayers already had their information in the hands of criminals”, according to a report of a Q&am...
Someone failed to order the patch. If it was you, c'mere, have a hug. And a new identity Equifax CEO falls on his sword weeks after credit biz admits mega-breach
Recently-and-forcibly-retired Equifax CEO Rick Smith has laid the blame for his credit-check biz's IT security breach on a single member of the company's security team. In testimony on Tuesday before a US House subcommittee on consumer protection, Smith explained that Equifax has a protocol whereby news of important software patches is communicated to the appropriate people within a certain time. When details of security vulnerability CVE-2017-5638 landed in March 2017, bearing bad news about Ap...
Ex-CEO says company stayed silent about hack to stop crims piling on with more attacks
Equifax was just as much of a trash-fire as it looked: the company saw the Apache Struts 2 vulnerability warning, failed to patch its systems, and held back a public announcement for weeks for fear of “copycat” attacks. Those Infosec for Absolute Dummies tips were made official by ex-CEO Richard Smith, by way of evidence published by a US House committee ahead of his in-person appearance Tuesday. Smith's written statement [PDF] to the House Committee on Energy and Commerce says the company r...
Those are just the ones known to have downloaded outdated versions
Thousands of companies may be susceptible to the same type of hack that recently struck Equifax. The Equifax breach was the result of a vulnerable Apache Struts component. Software automation vendor Sonatype warns that 3,054 organisations downloaded the same Struts2 component exploited in the Equifax hack in the last 12 months. The affected version of Struts2 was publicly disclosed as vulnerable (CVE-2017-5638) on March 10, and was subsequently exploited at Equifax between May and late July, whe...
Company tried to find and patch vulnerable systems, but we know what happened next
Equifax's chief information officer and chief security officer “are retiring” and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software. The retirements and more details about the company's mega-breach are revealed in a new entry to equifaxsecurity2017.com in which the company describes what it knew, when it knew it, and how it responded. The update reveals that the the attack hit the company's “U.S. online disput...
Help wanted at Equifax. Badly
Further evidence has emerged regarding the insecurity of Equifax’s web setup, as independent security researcher Scott Helme reports having uncovered all manner of problems with Equifax’s security header configuration. The finding from Helme comes as a date was confirmed for the Equifax CEO to appear before Congress earlier next month, and the FTC said it was investigating the credit reference agency. “Many of the headers are more about addressing the basics, but as a site that serves over...
Apache Struts was popped, but company had at least TWO MONTHS to fix it
Equifax has revealed that the cause of its massive data breach was a flaw it should have patched weeks before it was attacked. The company has updated its www.equifaxsecurity2017.com/ site with a new “A Progress Update for Consumers” that opens as follows: As the Apache Foundation pointed out earlier this week, it reported CVE-2017-5638 in March 2017. Doubt us? Here's the NIST notification that mentions it as being notified on March 10th. Equifax was breached in “mid-May” 2017, realised ...
Hold our beers, Equifax
Updated Experian and Annual Credit Report.com – an organization set up by Equifax, Experian and Transunion to meet US consumer finance regulations – left themselves exposed to a serious vulnerability in Apache Struts earlier this year. The security shortcoming raises important questions following the disclosure of a mega-breach at Equifax last week that affected data on 143 million Americans and an as-yet unknown number of Canadians and Brits. Equifax only said that an unspecified web applic...
Black hats testing remote code execution zero-day vulnerability
Infosec researchers have found a “dire” zero-day in Apache Struts 2, and it's under active attack. If you're a sysadmin using the Jakarta-based file upload Multipart parser under Apache Struts 2, Nick Biasini of Cisco's Talos advises applying the latest upgrade immediately. CVE-2017-5638 is documented at Rapid7's Metasploit Framework GitHub site. Talos's input adds urgency to getting the upgrade, because the organisation “found a high number of exploitation events. The majority of the expl...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources More details released after devs allowed weeks to apply fixes Equifax couldn't find or patch vulnerable Struts implementations
We now know the remote code execution vulnerability in Apache Struts 2 disclosed back in November carries a near-maximum severity rating following the publication of the CVE. According to the National Vulnerability Database (NVD), which published the CVE on Wednesday, Apache scored CVE-2024-53677 a 9.5 using the CVSSv4 framework while Tenable noted a 9.8 rating using CVSSv3 – take your pick. Considering remote attackers could exploit the vulnerability without requiring any privileges, co...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Novel malware adapts delivers DDoS attacks and provides RAT functionality
Incident responders say they've found a new type of multi-platform malware abusing the New Kind of Network (NKN) protocol. Dubbed "NKAbuse" by the researchers, the Go-based backdoor offers criminal attackers a range of possibilities, including being able to DDoS or fling remote access trojans (RATs), and leans on NKN for more anonymous yet reliable data exchange. NKN is an open source protocol that lets users perform a peer-to-peer (P2P) data exchange over a public blockchain – like a cross be...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Not quite a pound for every one of the 13.8 million affected UK citizens, and it could have been more
The UK's Financial Conduct Authority (FCA) has fined Equifax a smidge over £11 million ($13.6 million) for severe failings that put millions of consumers at risk of financial crime. The regulator branded the entire debacle "entirely preventable" – from Equifax's failure to promptly notify regulators to the way in which it misled the public over the severity of a security breach back in 2017. The original fine should have been greater; the true sum was £15,949,200 ($19,428,836) but the compan...