CRITICAL Apache Struts 2.x Vulnerability (CVE-2017-5638)

March 9, 2017

Summary

A critical vulnerability has been discovered and released in the Apache Struts 2 framework. Patches are available from Apache. [1]

Impact

This vulnerability allows for unauthenticated, remote code execution on the server. Further, there are at least two known public exploits for this vulnerability [2] and ISP has already started to see scanning and exploit attempts against campus systems.

Vulnerable

  • Apache Struts 2.3.5 - Struts 2.3.31 [3]
  • Apache Struts 2.5 - Struts 2.5.10

Recommendations

  • Upgrade to Struts 2.3.32 or Struts 2.5.10.1
  • Implement a Servlet filter to validate Content-Type and throw away request with suspicious values not matching multipart/form-data.

References