If you’re running web applications on the Internet, then you’re almost certainly seeing probes for the Struts 2 vulnerability (CVE-2017-5638). These attacks started within hours of the vulnerability being released, and we continue to see widespread probes with dangerous payloads in the first request. They all look something like this…
This attack is extremely dangerous. The attacker is taking advantage of how Struts 2 handles malformed Content-Type headers. They are included in an error message that is evaluated as an OGNL expression. This gives any unauthenticated attacker the ability to run arbitrary code on your server. In this case, the underlying payload is written in Perl and downloaded from the Internet. An IRC channel is used for command and control.
Contrast Security is just like you, and we are seeing these attacks against our servers too. Since the announcement last month, we have been blocking attacks numerous times, every day, from places like Hong Kong, Shandong, Bangalore, and many other places around the world.
As I sit and watch these attacks happening, I can’t help but feel all warm and cozy inside. Contrast automatically detects and blocks attacks like Struts 2 and other vulnerabilities in open source components. Contrast also blocks bots, manual attacks, even attacks against totally unknown vulnerabilities in your applications.
I want to help you with your application security program. You don’t have to live with ‘solutions’ cobbled together from a variety of tools that are more work than they’re worth. There is no reason why you shouldn’t be able to instantly:
- Block application attacks
- Know exactly who is attacking you, how they’re attacking, and what they’re targeting
- Deploy runtime protection for new vulnerabilities automatically
- Pinpoint applications and servers that are running vulnerable libraries
If you’d like to know more, let me know and we can talk.