Security Advisory 2017-005

Release Date:

Critical Apache Struts 2 Framework Vulnerability

Download

History:

  • 09/03/2017 --- v1.0: Initial publication

Summary

On March 6, 2017, it has been reported that a remote code execution is possible via Apache Struts 2 framework, when performing file upload based on Jakarta multipart parser. There have been several exploits in the wild already reported [1], with some of them actually published publicly on Internet.

The fact that several experts have assessed this vulnerability as easy to exploit explains its popularity [2, 3]. This is also the reason, why it is recommended to upgrade to a patched version as soon as possible.

Technical Details

This vulnerability allows an attacker to send commands to the server running an unpatched version of Apache Struts 2 framework that will be executed with the privileges of the user running the service. According to the Apache documentation [1], this is possible by using a malicious Content-Type value.

This vulnerability has been assigned the number: CVE-2017-5638

Vulnerable Systems

  • Apache Struts 2.3.5 - 2.3.31,
  • Apache Struts 2.5 - 2.5.10.

Recommendation

Upgrade as soon as possible to Apache Struts 2.3.32 or Apache Struts 2.5.10.1

As a workaround, it is also possible to implement a servlet filter, which will validate Content-Type and throw away requests with suspicious values not matching multipart/form-data.

References

[1] Apache Org --- https://cwiki.apache.org/confluence/display/WW/S2-045

[2] ArsTechnica --- https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites

[3] Cisco --- http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html

We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.