ADVISORY: Apache Struts2 S2-045: Remote Code Execution Vulnerability (CVE-2017-5638)

What happened?

A serious vulnerability was discovered in Apache Struts 2, affecting versions of Apache Struts 2.3.5–2.3.31 and 2.5–2.5.10

The vulnerability (CVE-2017–5638), firstly reported by the security researcher Nike Zheng, is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts.

Details of the vulnerability

Source: https://cwiki.apache.org/confluence/display/WW/S2-045

It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user.

Exploits are already disclosed, and payloads have varied and can now include IRC bouncer, DOS bot, and others various botnets.

DenyAll Statement:

Our products are not impacted as we do not use Apache Struts 2.

DenyAll WAF and i-Suite products:

  • Our ICX default policy blocking the majority of the payloads used on the Content-Type header (as a Buffer Overflow), but you can also strengthen your policy by including the Command Injection pattern on the headers, especially on the Content-Type header.
  • Both ICX Engine and Workflow mitigation are available on our documentation site.

rWeb product:

  • By default, if still enabled, the payload will be blocked by the header size checking, but we recommend to enable the Scoringlist Engine on headers (Option ‘Use current Scoringlist to protect the request headers’) to mitigate the payload if the size vary.
  • To ensure more security, you can also activate the advanced engine ‘Scripting language injection protection code’ with the option ‘Protect request headers’.

DenyAll recommend to update your Apache Struts 2 as soon as possible as this vulnerability has been fixed in Apache Struts 2.3.32 and 2.5.10.1

About the DARC

The DenyAll Research Center (DARC) is an internal division of DenyAll, which focuses on threat analysis and mitigation. Over the last 15 years, this department’s research has contributed to the design of state-of-the art Web application security solutions.

Xavier Quoniam, Marketing Manager on Linkedin
Xavier Quoniam, Marketing Manager
Xavier is our Marketing Manager. He is passionate about disruptive technologies that transform how companies communicate. He brings us its passion, curiosity, and fresh ideas to promote DenyAll and Cloud Protector at its best.