Apache Struts2 arbitrary code execution vulnerability
(S2-045, CVE-2017-5638)
Apache Struts is an open source project maintained by the Apache Software Foundation, an open source MVC framework for creating enterprise Java Web applications.
CVE Identifier
CVE-2017-5638
Introduction to Vulnerability
Struts uses Jakarta to resolve file upload requests inappropriate when a remote attacker constructs a malicious Content-Type that could cause remote commands to execute.
In fact, in the default.properties file, struts.multipart.parser value has two options, namely jakarta and pell (another original also has a third choice cos). One of the jakarta parsers is a standard component of the Struts 2 framework. By default jakarta is enabled, so the severity of the vulnerability needs to be addressed.
Affected Software
Struts 2.3.5 – Struts 2.3.31
Struts 2.5 – Struts 2.5.10
How to fix
If you are using a file based on Jakarta to upload the Multipart parser, upgrade to Apache Struts 2.3.32 or 2.5.10.1; or you can also switch to a different implementation file to upload the Multipart parser.
Reference
