Apache Struts2 arbitrary code execution vulnerability

(S2-045, CVE-2017-5638)


Apache Struts is an open source project maintained by the Apache Software Foundation, an open source MVC framework for creating enterprise Java Web applications.

CVE Identifier


Introduction to Vulnerability

Struts uses Jakarta to resolve file upload requests inappropriate when a remote attacker constructs a malicious Content-Type that could cause remote commands to execute.

In fact, in the default.properties file, struts.multipart.parser value has two options, namely jakarta and pell (another original also has a third choice cos). One of the jakarta parsers is a standard component of the Struts 2 framework. By default jakarta is enabled, so the severity of the vulnerability needs to be addressed.

Affected Software

Struts 2.3.5 – Struts 2.3.31

Struts 2.5 – Struts 2.5.10

How to fix

If you are using a file based on Jakarta to upload the Multipart parser, upgrade to Apache Struts 2.3.32 or; or you can also switch to a different implementation file to upload the Multipart parser.