The University Information Security Office (UISO) emphasizes this excerpt from one of our sources: "It is important to note that the presence of vulnerable library is enough to exploit the vulnerability. The web application doesn’t necessarily need to implement file upload functionality to exploit this vulnerability." Additionally, web applications that were developed with a vulnerable version of Apache Struts should be recompiled using the patched version. The UISO has observed external sources scanning the IU network for the presence of this vulnerability. Mitigations have been implemented to stop these scanning attempts.
On March 6, 2017, Apache issued a security bulletin that affects Apache Struts. The severity of the vulnerability is classified as "High" and is therefore considered critical. According to reports, the vulnerability is being exploited in the wild.
Systems running the vulnerable version of Apache Struts can have remote code executed on the server. It is possible for malicious code to disable server-based firewalls and execute malware and other code of the hackers choosing. Please see UISO Recommendations below for further steps that must be taken.
- Apache Struts 2.3.5 through 2.3.31
Apache Struts 2.5 through 2.5.10
The University Information Security Office has QualysGuard vulnerability scanners available to faculty and staff who maintain servers and websites at IU. The Qualys scanner has identified that there are systems on the IU network that are affected by this vulnerability.
- Patch Apache Struts to 2.3.32 or Struts 22.214.171.124 immediately
- Regularly check Apache Struts Security Bulletins
- Have your web applications and sites scanned for vulnerabilities
- Critical vulnerability under "massive" attack imperils high-impact sites
- Apache Struts 2 needs patching, without delay. It's under attack now
- Hackers exploit Apache Struts vulnerability to compromise corporate web servers
- Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability
- Apache Struts Security Bulletins
- Has your server or website been scanned lately?