Overview
Apache Struts, versions 2.3.5 - 2.3.31 and 2.5 - 2.5.10, is vulnerable to code injection leading to remote code execution (RCE).
Description
CWE-94: Improper Control of Generation of Code - CVE-2017-5638 An attacker can execute arbitrary OGNL code included in the "Content-Type" header of a file upload. |
Impact
An unauthenticated remote attacker can execute arbitrary commands with the privileges of the user running Apache Struts. |
Solution
Apply an update |
If you are unable to update Struts, please see the workaround suggested by Apache here. |
Vendor Information
834067
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 8.7 | E:H/RL:OF/RC:C |
| Environmental | 8.7 | CDP:N/TD:H/CR:ND/IR:ND/AR:ND |
References
- https://cwiki.apache.org/confluence/display/WW/S2-045
- http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
- https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/
- http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/
- https://github.com/rapid7/metasploit-framework/issues/8064
- https://www.exploit-db.com/exploits/41570/
- https://cwe.mitre.org/data/definitions/94.html
Acknowledgements
This document was written by Trent Novelly.
Other Information
| CVE IDs: | CVE-2017-5638 |
| Date Public: | 2017-03-06 |
| Date First Published: | 2017-03-14 |
| Date Last Updated: | 2017-03-14 21:02 UTC |
| Document Revision: | 9 |