Sid 1-41818

Message

SERVER-APACHE Apache Struts remote code execution attempt

Summary

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Impact

CVSS base score 10.0 CVSS impact score 6.0 CVSS exploitability score 3.9 confidentialityImpact HIGH integrityImpact HIGH availabilityImpact HIGH

Detailed information

Affected systems

  • apache struts 2.3.5
  • apache struts 2.3.6
  • apache struts 2.3.7
  • apache struts 2.3.8
  • apache struts 2.3.9
  • apache struts 2.3.10
  • apache struts 2.3.11
  • apache struts 2.3.12
  • apache struts 2.3.13
  • apache struts 2.3.14
  • apache struts 2.3.14.1
  • apache struts 2.3.14.2
  • apache struts 2.3.14.3
  • apache struts 2.3.15
  • apache struts 2.3.15.1
  • apache struts 2.3.15.2
  • apache struts 2.3.15.3
  • apache struts 2.3.16
  • apache struts 2.3.16.1
  • apache struts 2.3.16.2
  • apache struts 2.3.16.3
  • apache struts 2.3.17
  • apache struts 2.3.19
  • apache struts 2.3.20
  • apache struts 2.3.20.1
  • apache struts 2.3.20.2
  • apache struts 2.3.20.3
  • apache struts 2.3.21
  • apache struts 2.3.22
  • apache struts 2.3.23
  • apache struts 2.3.24
  • apache struts 2.3.24.1
  • apache struts 2.3.24.2
  • apache struts 2.3.24.3
  • apache struts 2.3.25
  • apache struts 2.3.26
  • apache struts 2.3.27
  • apache struts 2.3.28
  • apache struts 2.3.28.1
  • apache struts 2.3.29
  • apache struts 2.3.30
  • apache struts 2.3.31
  • apache struts 2.5
  • apache struts 2.5.1
  • apache struts 2.5.2
  • apache struts 2.5.3
  • apache struts 2.5.4
  • apache struts 2.5.5
  • apache struts 2.5.6
  • apache struts 2.5.7
  • apache struts 2.5.8
  • apache struts 2.5.9
  • apache struts 2.5.10

Ease of attack

False positives

None known

False negatives

None known

Corrective action

Upgrade to the latest non-affected version of the software.

Apply the appropriate vendor supplied patches.

Contributors

  • Talos research team.
  • This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology.
  • For more information see nvd.

Additional References

  • cwiki.apache.org/confluence/display/WW/S2-045