A serious vulnerability was discovered in Apache Struts 2, affecting versions of Apache Struts 2.3.5–2.3.31 and 2.5–2.5.10
The vulnerability (CVE-2017–5638), firstly reported by the security researcher Nike Zheng, is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts.
Details of the vulnerability
It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user.
Exploits are already disclosed, and payloads have varied and can now include IRC bouncer, DOS bot, and others various botnets.
Our products are not impacted as we do not use Apache Struts 2.
DenyAll WAF and i-Suite products:
- Our ICX default policy blocking the majority of the payloads used on the Content-Type header (as a Buffer Overflow), but you can also strengthen your policy by including the Command Injection pattern on the headers, especially on the Content-Type header.
- Both ICX Engine and Workflow mitigation are available on our documentation site.
- By default, if still enabled, the payload will be blocked by the header size checking, but we recommend to enable the Scoringlist Engine on headers (Option ‘Use current Scoringlist to protect the request headers’) to mitigate the payload if the size vary.
- To ensure more security, you can also activate the advanced engine ‘Scripting language injection protection code’ with the option ‘Protect request headers’.
DenyAll recommend to update your Apache Struts 2 as soon as possible as this vulnerability has been fixed in Apache Struts 2.3.32 and 220.127.116.11
About the DARC
The DenyAll Research Center (DARC) is an internal division of DenyAll, which focuses on threat analysis and mitigation. Over the last 15 years, this department’s research has contributed to the design of state-of-the art Web application security solutions.