Apache Struts2 arbitrary code execution vulnerability

(S2-045, CVE-2017-5638)

 

Apache Struts is an open source project maintained by the Apache Software Foundation, an open source MVC framework for creating enterprise Java Web applications.

CVE Identifier

CVE-2017-5638

Introduction to Vulnerability

Struts uses Jakarta to resolve file upload requests inappropriate when a remote attacker constructs a malicious Content-Type that could cause remote commands to execute.

In fact, in the default.properties file, struts.multipart.parser value has two options, namely jakarta and pell (another original also has a third choice cos). One of the jakarta parsers is a standard component of the Struts 2 framework. By default jakarta is enabled, so the severity of the vulnerability needs to be addressed.

Affected Software

Struts 2.3.5 – Struts 2.3.31

Struts 2.5 – Struts 2.5.10

How to fix

If you are using a file based on Jakarta to upload the Multipart parser, upgrade to Apache Struts 2.3.32 or 2.5.10.1; or you can also switch to a different implementation file to upload the Multipart parser.

Reference