I've upgraded to Struts 2.3.32.
Our site is still getting bombarded with S2-045 attacks.
The application logs are filled with stack traces from these. I notices
that one request is often generating two stack traces. The first is
expected and second isn't.
First exception (with most of the attack crap obscured):
2017-05-16 06:18:22,022 WARN
org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest:68 - Unable
to parse request
org.apache.commons.fileupload.FileUploadBase$InvalidContentTypeException:
the request doesn't contain a multipart/form-data or multipart/mixed
stream, content type header is
%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
).XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}
at
org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl.<init>(FileUploadBase.java:948)
at
org.apache.commons.fileupload.FileUploadBase.getItemIterator(FileUploadBase.java:310)
at
org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:334)
at
org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parseRequest(JakartaMultiPartRequest.java:192)
at
org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.processUpload(JakartaMultiPartRequest.java:131)
at
org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parse(JakartaMultiPartRequest.java:92)
at
org.apache.struts2.dispatcher.multipart.MultiPartRequestWrapper.<init>(MultiPartRequestWrapper.java:84)
at
org.apache.struts2.dispatcher.Dispatcher.wrapRequest(Dispatcher.java:849)
...
Second exception:
2017-05-16 06:18:22,024 WARN org.apache.struts2.dispatcher.Dispatcher:68 -
Could not find action or result: /index.action
No result defined for action com.opensymphony.xwork2.ActionSupport and
result input - action -
file:/xxx/webapps/Resolution/webroot/WEB-INF/classes/struts.xml:24:26
at
com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:374)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:276)
at
com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:265)
at
org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:76)
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at
com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
at
com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:138)
at
com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:229)
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at
com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:229)
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at
com.google.inject.struts2.Struts2Factory$ProvidedInterceptor.intercept(Struts2Factory.java:216)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
...
In the Tomcat access logs I see the a "GET /index.action HTTP/1.1" but this
doesn't log headers etc. so I don't have the full request (with all the
attack code).
My app doesn't have a "/index.action" but it does have a catchAll [ action
name="*" ] which normally works but apparently not in this scenario.
I'm not able to reproduce this on my development machine.
Is anyone else seeing similar things happening?
Is there anything here to worry about?
Any changes I should be making?
Greg
