In the wake of the extensive data breach at Equifax—attributed to vulnerabilities within the Apache Struts framework—Cisco has launched a comprehensive investigation into its products utilizing this popular open-source web application framework. This move comes as Apache Struts has been identified as hosting several critical vulnerabilities, including two remote code execution issues.
Apache Struts serves as a robust, open-source MVC framework commonly employed for Java web application development. It is used by 65% of Fortune 100 companies, encompassing organizations like Lockheed Martin, Vodafone, Virgin Atlantic, and even the IRS. However, the framework recently revealed multiple security flaws, raising alarms among its extensive user base, emphasizing the need for immediate remediation.
Reports indicate that one of these vulnerabilities played a direct role in compromising the personal data of over 143 million Equifax users. Cisco’s investigation encompasses products such as the Digital Media Manager, MXE 3500 Series Media Experience Engines, and various collaboration and contact center solutions, all of which are susceptible to the identified flaws.
Cisco has also begun testing its remaining products against several recent vulnerabilities found within Apache Struts2. Among these is CVE-2017-9805, which was highlighted in a recent security update. Notably, the remote code execution vulnerability CVE-2017-5638, actively exploited earlier this year, was not included in this latest security assessment.
The vulnerabilities, as disclosed by the Apache Software Foundation, include critical issues such as CVE-2017-9805, which exposes systems to remote code execution risks due to improper handling of XML payloads by Struts’ REST plugin. Cisco’s Threat Intelligence team, Talos, has observed ongoing exploitation attempts targeting this flaw, revealing its escalating severity.
Security researchers from Imperva discovered and mitigated thousands of attack attempts exploiting CVE-2017-9805, with a significant percentage aimed at delivering malicious payloads. The attacks primarily originated from China, with a notable presence from a single IP address associated with a Chinese e-commerce firm.
Further investigation into the remaining vulnerabilities, including CVE-2017-9793 and CVE-2017-9804, reveals additional concerns. These issues also allow unauthorized attackers to potentially induce denial-of-service conditions on affected systems, raising critical alarms for businesses relying on this framework.
As Cisco continues its security audits, it is important to note that no patches are currently available for the vulnerabilities affecting its products. However, Cisco has committed to providing updates for the affected software soon, accessible through the Cisco Bug Search Tool.
With the extensive use of Apache Struts among top Fortune 100 companies, it is imperative for organizations to assess their infrastructures for these vulnerabilities. As the cyber threat landscape evolves, understanding the tactics and techniques outlined in the MITRE ATT&CK framework—such as initial access and privilege escalation—can better prepare businesses to defend against such attacks in the future.
