ADVISORY: Apache Struts2 S2-045: Remote Code Execution Vulnerability (CVE-2017-5638)

What happened?

A serious vulnerability was discovered in Apache Struts 2, affecting versions of Apache Struts 2.3.5–2.3.31 and 2.5–2.5.10

The vulnerability (CVE-2017–5638), firstly reported by the security researcher Nike Zheng, is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts.

Details of the vulnerability


It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user.

Exploits are already disclosed, and payloads have varied and can now include IRC bouncer, DOS bot, and others various botnets.

DenyAll Statement:

Our products are not impacted as we do not use Apache Struts 2.

DenyAll WAF and i-Suite products:

  • Our ICX default policy blocking the majority of the payloads used on the Content-Type header (as a Buffer Overflow), but you can also strengthen your policy by including the Command Injection pattern on the headers, especially on the Content-Type header.
  • Both ICX Engine and Workflow mitigation are available on our documentation site.

rWeb product:

  • By default, if still enabled, the payload will be blocked by the header size checking, but we recommend to enable the Scoringlist Engine on headers (Option ‘Use current Scoringlist to protect the request headers’) to mitigate the payload if the size vary.
  • To ensure more security, you can also activate the advanced engine ‘Scripting language injection protection code’ with the option ‘Protect request headers’.

DenyAll recommend to update your Apache Struts 2 as soon as possible as this vulnerability has been fixed in Apache Struts 2.3.32 and

About the DARC

The DenyAll Research Center (DARC) is an internal division of DenyAll, which focuses on threat analysis and mitigation. Over the last 15 years, this department’s research has contributed to the design of state-of-the art Web application security solutions.

Xavier Quoniam, Marketing Manager on Linkedin
Xavier Quoniam, Marketing Manager
Xavier is our Marketing Manager. He is passionate about disruptive technologies that transform how companies communicate. He brings us its passion, curiosity, and fresh ideas to promote DenyAll and Cloud Protector at its best.
Paste your AdWords Remarketing code here

By continuing to browse on our website, you agree to the use of Cookies for: (i) the operation and interactivity of our website, (ii) measuring the audience of our website and analyse your browsing. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.