Home > Vulnerability Database > CVE-2017-5638

Mend.io Vulnerability Database

New vulnerability? Tell us about it!

CVE-2017-5638

Date: March 10, 2017

Overview

Apache Struts is a widely used open source web framework for developing robust Java applications. Its affected versions are vulnerable to a remote code execution attack that can result in complete system compromises.

Details

The CVE-2017-5638 vulnerability exists because of how the Jakarta Multipart Parser, which is a component of the Apache Struts framework, mishandles Content-Type headers when uploading files. An attacker could exploit this flaw by sending a maliciously created Content-Type HTTP header in the request. Then, if the Jakarta Multipart Parser does not validate the file upload, an exception is thrown, which allows the perpetrator to perform remote code execution. The attacker could inject arbitrary commands in the Content-Type HTTP header, which gets executed on the susceptible servers—based on the privileges of the victim running the server. Authentication is not needed for an attacker to exploit this vulnerability.

Affected Environments

Apache Struts 2 2.3.x before 2.3.32 Apache Struts 2.5.x before 2.5.10.1

Remediation

Apply a Servlet filtering mechanism that validates Content-Type and gets rid of any requests with strange values, which are not matching multipart/form-data Apply a different implementation mechanism for the Multipart parser Do away with the File Upload Interceptor from the stack—you can just create your own custom stack and make it to be the default

Prevention

Upgrade to Apache Struts 2.3.32 or 2.5.10.1 Patch web servers with the latest software versions

Language: Java

Good to know:

10.0

Input Validation

CWE-20

Upgrade Version

Upgrade to version org.apache.struts:struts2-core:2.3.32,org.apache.struts:struts2-core:2.5.10.1

CVSS v3.1
CVSS v2

Base Score:	10.0
Attack Vector (AV):	Network
Attack Complexity (AC):	Low
Privileges Required (PR):	None
User Interaction (UI):	None
Scope (S):	Changed
Confidentiality (C):	High
Integrity (I):	High
Availability (A):	High

Base Score:	10.0
Access Vector (AV):	Network
Access Complexity (AC):	Low
Authentication (AU):	None
Confidentiality (C):	Complete
Integrity (I):	Complete
Availability (A):	Complete
Additional information:

Related Resources (37)

Url: https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/

Url: https://www.exploit-db.com/exploits/41614/

Url: https://isc.sans.edu/diary/22169

Url: https://cwiki.apache.org/confluence/display/WW/S2-046

Url: https://www.symantec.com/security-center/network-protection-security-advisories/SA145

Url: https://security.netapp.com/advisory/ntap-20170310-0001/

Url: https://nvd.nist.gov/vuln/detail/CVE-2017-5638

Url: https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us

Url: https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html

Url: https://struts.apache.org/docs/s2-046.html

Url: https://cwiki.apache.org/confluence/display/WW/S2-045

Url: http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Url: https://support.lenovo.com/us/en/product_security/len-14200

Url: http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/

Url: https://github.com/rapid7/metasploit-framework/issues/8064

Url: https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E

Url: https://www.kb.cert.org/vuls/id/834067

Url: https://struts.apache.org/docs/s2-045.html

Url: http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html

Url: https://exploit-db.com/exploits/41570

Url: http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt

Url: https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt

Url: https://github.com/mazen160/struts-pwn

Url: https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E

Url: https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228

Url: https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/

Url: https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us

Url: http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html

Url: http://www.securitytracker.com/id/1037973

Url: https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a

Url: https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

Url: http://www.securityfocus.com/bid/96729

Url: https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us

Url: https://twitter.com/theog150/status/841146956135124993

Url: https://www.mend.io/vulnerability-database/CVE-2017-5638

Url: https://www.mend.io/resources/blog/apache-struts-spring-vulnerabilities

Url: https://www.mend.io/resources/blog/top-10-security-vulnerabilities-of-2017