The critical vulnerability in Apache Struts 2.5, fixed earlier this week, is actively exploited by intruders in legacy versions of the software.
Vulnerability (CVE-2017-9805) exists because of a software error during the processing of Apache Struts data from untrusted sources and allows a remote attacker to run malicious code on the server.
After a few hours after the release of the patch, enterprising hackers released an exploit and a Metasploit module to exploit this vulnerability.
As researchers at LGTM, who discovered the vulnerability, warn that at least 65% of Fortune 100 companies use the Apache Struts framework and all of them can become victims of a remote attack if they do not update the software.
At the same time, Contrast Security experts, providing protection against this type of exploit, say that the problematic REST plug-in uses less than 1% of Java applications.
Nevertheless, experts began to notice the first attempts to exploit the vulnerability within 48 hours after the release of the patch. The team of Cisco Talos and Belgian firm NVISO Labs identified attacks, the main purpose of which was to find vulnerable servers. According to Cisco Talos, attempts to scan were made from the Russian site (wildkind [.] Ru, 188.120.246 [.] 215). Experts also identified attacks using potentially malicious software. The researchers could not determine which payload was used, but judging by previous attacks on Apache Struts, it could be DDoS bots, spam bots and other malicious programs.
Developers of Apache Struts have corrected the vulnerability (CVE-2017-9805) in version 2.5.13, and also eliminated a number of less serious DoS-vulnerabilities (CVE-2017-9804, CVE-2017-9793). In addition, the developers released another update 2.3.34, which removes the vulnerability (CVE-2017-12611), which allows you to remotely execute the code.