Vulnerability Note VU#834067
Apache Struts 2 is vulnerable to remote code execution
Original Release date: 14 Mar 2017 | Last revised: 14 Mar 2017

Overview
Apache Struts, versions 2.3.5 – 2.3.31 and 2.5 – 2.5.10, is vulnerable to code injection leading to remote code execution (RCE).

Description
CWE-94: Improper Control of Generation of Code – CVE-2017-5638
An attacker can execute arbitrary OGNL code included in the "Content-Type" header of a file upload.

This vulnerability is actively being exploited.

Impact
An unauthenticated remote attacker can execute arbitrary commands with the privileges of the user running Apache Struts.

Solution
Apply an update
Update to Apache Struts 2.3.32 or 2.5.10.1
If you are unable to update Struts, please see the workaround suggested by Apache here.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedApache StrutsAffected-14 Mar 2017If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal
8.7
E:H/RL:OF/RC:C

Environmental
8.7
CDP:N/TD:H/CR:ND/IR:ND/AR:ND

References

https://cwiki.apache.org/confluence/display/WW/S2-045
http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/
https://github.com/rapid7/metasploit-framework/issues/8064
https://www.exploit-db.com/exploits/41570/
https://cwe.mitre.org/data/definitions/94.html

Credit
This document was written by Trent Novelly.

Other Information

CVE IDs:
CVE-2017-5638

Date Public:
06 Mar 2017

Date First Published:
14 Mar 2017

Date Last Updated:
14 Mar 2017

Document Revision:
7

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply