edit-icon download-icon

[Vulnerability notice] CVE-2017-5638: Remote code execution vulnerability in Struts based on Jakarta plugin (S2-046)

Last Updated: Apr 08, 2018

Recently, Apache Struts officially published the Struts2 vulnerability and named the latest patch as S2-046. According to the published patch description, the patch and S2-045 both fix CVE-2017-5638.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-5638

Vulnerability name

Struts remote code execution vulnerability based on Jakarta plugin (S2-046)

Vulnerability rating

High

Vulnerability description

The vulnerability is a possible RCE (like S2-045) in a file upload using the Jakarta Multipart parser.

Condition and method of exploitation

A hacker can remotely exploit the vulnerability to run code by constructing malicious OGNL from file names using Jakarta plugin. S2-046 has the following two ways of exploitation:

  • Content-Disposition file name contains null bytes.

  • Content-Disposition file name does not contain null bytes.

    When Content-Disposition file name does not contain null bytes, the following two conditions must be met for successful exploitation:

    • Content-Length exceeds the maximum value (2M) allowed by Struts2.

    • The data flow passes through JakartaStreamMultiPartRequest. When Struts uses Jakarta’s default configurations, the data flow does not pass through JakartaStreamMultiPartRequest. If struts.xml includes the following configurations, the data flow passes through JakartaStreamMultiPartRequest:

      1. <constant name="struts.multipart.parser" value="jakarta-stream" />

Affected scope

  • Struts 2.3.5 - 2.3.31
  • Struts 2.5 - 2.5.10

How to fix or mitigate

  • Strictly filter the content in Content-Type and file name, and strictly prohibit the OGNL expression related fields.

  • If you use Jakarta plugin, we recommend that you upgrade to Apache Struts 2.3.32 or 2.5.10.1.

    Note: Back up snapshots before the upgrade.

  • Use Alibaba Cloud Security WAF for defense.

Reference

[1]. http://struts.apache.org/docs/s2-045.html
[2]. http://struts.apache.org/docs/s2-046.html
[3]. https://community.hpe.com/t5/Security-Research/Struts2-046-A-new-vector/ba-p/6949723#

Thank you! We've received your feedback.