[SingCERT] Apache Struts2 Possible Remote Code Execution

Published on Thursday, 09 March 2017 22:26

Background
On 7th March 2017, Apache Software Foundation issued an emergency security alert for CVE-2017-5638 (Apache Struts2 S2-045).

Apache Struts is an open source project of the Apache Foundation Jakarta project team which adopts a MVC framework for developers to develop Java web applications.

Apache Struts is exposed to a high-risk remote command execution (RCE) vulnerability. It has been reported that the vulnerability is being actively exploited on a wide scale since it is relatively easy to exploit. SingCERT has found numerous unpatched Apache Struts websites in Singapore that are affected. There are potentially many more websites that have not been patched and are therefore vulnerable.

Affected Software

  • Apache Struts 2.3.5 – 2.3.31
  • Apache Struts 2.5 – 2.5.10

Impact
The RCE vulnerability exists in its Jakarta Multipart parser due to improper handling of the Content-Type header. An attacker performs RCE attack with a malicious Content-Type value to trigger this vulnerability, and then execute the system command.

More details on this vulnerability can be found in reference links below.

Recommendation
Website owners using Apache Struts software should immediately verify their software version to ensure that they are not vulnerable. Those who are using affected softwares are advised to update to Apache Struts (2.3.32 / 2.5.10.1 or later) without delay.

Other Recommendations
Update your NIPS / WAF rules to block this RCE exploit.

References
http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
https://cwiki.apache.org/confluence/display/WW/S2-045
https://threatprotect.qualys.com/2017/03/08/apache-struts-jakarta-multipart-parser-remote-code-execution-vulnerability/