Scanning for Apache Struts Vulnerability CVE-2017-5638
Over the past two weeks, I have noticed several attempts against my honeypot looking to exploit CVE-2017-5638 Apache Struts2 vulnerability that look very similar to this python script[2]. Today alone I recorded 57 attempts against port 80, 8080 and 443. T format of the queries I have observed over the past two weeks contain one of these two requests:
GET /index.action [2]
GET /verifylogin.do [4]
Our original diary was posted a year ago (March 2017) about this critical vulnerability where we recommend patching immediately. "It is also knowns as "Jakarta Struts" and "Apache Struts". The Apache project currently maintains Struts."[4] For additional information about this vulnerability, the original advisory is posted here.
[1] https://cwiki.apache.org/confluence/display/WW/S2-052
[2] https://github.com/r0otshell/Apache-Struts2-RCE-Exploit-v2-CVE-2017-5638
[3] https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/703
[4] https://isc.sans.edu/forums/diary/Critical+Apache+Struts+2+Vulnerability+Patch+Now/22169/
-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
Comments