{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2017-005.pdf" }, "title": "Critical Apache Struts 2 Framework Vulnerability", "serial_number": "2017-005", "publish_date": "09-03-2017 13:30:00", "description": "Remote code execution is possible via Apache Struts 2 framework, when performing file upload based on Jakarta multipart parser. There are already several exploits in the wild (CVE-2017-5638).", "url_title": "2017-005", "content_markdown": "---\ntitle: 'Critical Apache Struts 2 Framework Vulnerability'\nversion: '1.0'\nnumber: '2017-005'\ndate: 'March 9, 2017'\n---\n\n_History:_\n\n* _09/03/2017 --- v1.0: Initial publication_\n\n# Summary\n\nOn March 6, 2017, it has been reported that a remote code execution is possible via Apache Struts 2 framework, when performing file upload based on Jakarta multipart parser. There have been several exploits in the wild already reported [1], with some of them actually published publicly on Internet.\n\nThe fact that several experts have assessed this vulnerability as easy to exploit explains its popularity [2, 3]. This is also the reason, why it is recommended to upgrade to a patched version as soon as possible.\n\n# Technical Details\n\nThis vulnerability allows an attacker to send commands to the server running an unpatched version of Apache Struts 2 framework that will be executed with the privileges of the user running the service. According to the Apache documentation [1], this is possible by using a malicious `Content-Type` value.\n\nThis vulnerability has been assigned the number: CVE-2017-5638\n\n# Vulnerable Systems\n\n* Apache Struts 2.3.5 - 2.3.31,\n* Apache Struts 2.5 - 2.5.10.\n\n# Recommendation\n\nUpgrade as soon as possible to Apache Struts 2.3.32 or Apache Struts 2.5.10.1\n\nAs a workaround, it is also possible to implement a servlet filter, which will validate `Content-Type` and throw away requests with suspicious values not matching multipart/form-data.\n\n# References\n\n[1] Apache Org --- \n\n[2] ArsTechnica --- \n\n[3] Cisco --- \n", "content_html": "

History:

  • 09/03/2017 --- v1.0: Initial publication

Summary

On March 6, 2017, it has been reported that a remote code execution is possible via Apache Struts 2 framework, when performing file upload based on Jakarta multipart parser. There have been several exploits in the wild already reported [1], with some of them actually published publicly on Internet.

The fact that several experts have assessed this vulnerability as easy to exploit explains its popularity [2, 3]. This is also the reason, why it is recommended to upgrade to a patched version as soon as possible.

Technical Details

This vulnerability allows an attacker to send commands to the server running an unpatched version of Apache Struts 2 framework that will be executed with the privileges of the user running the service. According to the Apache documentation [1], this is possible by using a malicious Content-Type value.

This vulnerability has been assigned the number: CVE-2017-5638

Vulnerable Systems

  • Apache Struts 2.3.5 - 2.3.31,
  • Apache Struts 2.5 - 2.5.10.

Recommendation

Upgrade as soon as possible to Apache Struts 2.3.32 or Apache Struts 2.5.10.1

As a workaround, it is also possible to implement a servlet filter, which will validate Content-Type and throw away requests with suspicious values not matching multipart/form-data.

References

[1] Apache Org --- https://cwiki.apache.org/confluence/display/WW/S2-045

[2] ArsTechnica --- https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites

[3] Cisco --- http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }