Scanning for Apache Struts Vulnerability CVE-2017-5638

Published: 2018-03-25
Last Updated: 2018-03-25 20:12:55 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Over the past two weeks, I have noticed several attempts against my honeypot looking to exploit CVE-2017-5638 Apache Struts2 vulnerability that look very similar to this python script[2]. Today alone I recorded 57 attempts against port 80, 8080 and 443. T format of the queries I have observed over the past two weeks contain one of these two requests:

GET /index.action [2]

GET /verifylogin.do [4]

Our original diary was posted a year ago (March 2017) about this critical vulnerability where we recommend patching immediately. "It is also knowns as "Jakarta Struts" and "Apache Struts". The Apache project currently maintains Struts."[4] For additional information about this vulnerability, the original advisory is posted here.


[1] https://cwiki.apache.org/confluence/display/WW/S2-052
[2] https://github.com/r0otshell/Apache-Struts2-RCE-Exploit-v2-CVE-2017-5638
[3] https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/703
[4] https://isc.sans.edu/forums/diary/Critical+Apache+Struts+2+Vulnerability+Patch+Now/22169/

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Keywords:
0 comment(s)

Comments


Diary Archives