Information regarding a severe vulnerability found in Apache Struts was revealed last week. A proof of concept of the vulnerability was also published publicly along with the vulnerability’s details. Since then, it seems that malicious attackers have set out to repeatedly exploit the vulnerability to remotely install a cryptocurrency mining software on users’ devices and steal cryptocurrency through the exploit. The vulnerability has been allotted the CVE identification label CVE-2018-11776.
This behavior was first spotted by the security and data protection IT company, Volexity, and since its discovery, the rate of exploits has been increasing rapidly, drawing attention to the critical severity of the Apache Struts vulnerability. The company released the following statement on the issue: “Volexity has observed at least one threat actor attempting to exploit CVE-2018-11776 en masse in order to install the CNRig cryptocurrency miner. The initial observed scanning originated from the Russian and French IP addresses 220.127.116.11 and 18.104.22.168.”
With such high profile web application platforms and services such as Apache Struts, immediate reaction to vulnerabilities discovered as well as sufficient and effective patching of concerns is of the essence. When the vulnerability was initially discovered last week, users who brought it forward with proofs of concept on many different platforms urged the administrators of their respective platforms as well as the product’s vendor to take immediate action to protect users’ data and services. Notable data theft incidents have occurred in the past which have been exploitable due to untimely patching and update.
The Apache Software Foundation has asked users to update their Struts to versions 2.3.35 for the 2.3.x series and 2.5.17 for the 2.5.x series, respectively, to mitigate the risks posed by this vulnerability. Both updates are available on the firm’s website. The major internal changes made to both updates include the mitigation of a possible remote code execution lending itself to exploit due to no namespace, no wildcard, and no value URL issues. In addition to this, the updates are said to bring “critical overall proactive security improvements” as well.