Apache Struts 2 Vulnerability Leads to Remote Code Execution (CVE-2017-5638)

by CIRT Team

Description: The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.

Impact:  This vulnerability allows for unauthenticated, remote code execution on the server.

Mitigation:  

1. Upgrade to Struts 2.3.32 or Struts 2.5.10.1
2. Implement a Servlet filter to validate Content-Type and throw away request with suspicious values not matching multipart/form-data.

Reference URL’s:

• https://cwiki.apache.org/confluence/display/WW/S2-045
• https://security.berkeley.edu/news/critical-apache-struts-2x-vulnerability-cve-2017-5638
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
• http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/
• https://security-tracker.debian.org/tracker/CVE-2017-5638

CIRT Team

Recommended Posts

Active Exploitation of Critical F5 BIG – IP Vulnerability (CVE–2023-46747) Uncovered in Bangladesh

06 Nov 2024 - Security Advisories & Alerts

Emerging Threat_Stealer Malware (Lumma C2) Campaign with fake CAPTCHA pages

08 Oct 2024 - Security Advisories & Alerts

Detection of Fog Ransomware Footprint in Cyber Space of Bangladesh

12 Sep 2024 - Security Advisories & Alerts