Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Scanning for Apache Struts Vulnerability CVE-2017-5638 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Scanning for Apache Struts Vulnerability CVE-2017-5638

Over the past two weeks, I have noticed several attempts against my honeypot looking to exploit CVE-2017-5638 Apache Struts2 vulnerability that look very similar to this python script[2]. Today alone I recorded 57 attempts against port 80, 8080 and 443. T format of the queries I have observed over the past two weeks contain one of these two requests:

GET /index.action [2]

GET /verifylogin.do [4]

Our original diary was posted a year ago (March 2017) about this critical vulnerability where we recommend patching immediately. "It is also knowns as "Jakarta Struts" and "Apache Struts". The Apache project currently maintains Struts."[4] For additional information about this vulnerability, the original advisory is posted here.


[1] https://cwiki.apache.org/confluence/display/WW/S2-052
[2] https://github.com/r0otshell/Apache-Struts2-RCE-Exploit-v2-CVE-2017-5638
[3] https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/703
[4] https://isc.sans.edu/forums/diary/Critical+Apache+Struts+2+Vulnerability+Patch+Now/22169/

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

418 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!