A remote code execution flaw in a widely used web application development tool is being actively exploited to run arbitrary commands on servers, and to install malicious programs.
Struts 2 is a coding framework and library for enterprise developers writing Java applications. It comes bundled as a Java Archive (JAR) file.
The vulnerability exists in the Jakarta multipart parser, and enables remote code execution by abusing the Content-Type hyper text transfer protocol header, adding a malicious value to it.
Apache rates the flaw - which has been given a common vulnerabilites and exploits identifier CVE-2017-5638 - as having a 'high' security impact.
Cisco's Talos threat research group said it has observered multiple attacks, from running simple commands remotely on servers, to downloading and executing Linux binaries.
Struts version 2.3.5 to 2.3.31 and Struts 2.5 to 2.5.10 are vulnerable. Users are advised to patch to Struts 2.3.32 or 2.5.10 depending on the branch they follow.
However, the Struts remote code execution flaw could still hang around the internet for a long time to come.
Apps that are developed with a vulnerable version of Struts have to be recompiled with the fixed variant. Alternatively, systems administrators may want to filter out malicious Content-Type headers before they reach vulnerable servers.
