CVE-2017-5638 : Security Advisory and Response

Apache Struts 2 Jakarta Multipart Parser Remote Code Execution Vulnerability

Understanding CVE-2017-5638

This CVE involves a critical vulnerability in Apache Struts 2 that allows remote attackers to execute arbitrary commands.

What is CVE-2017-5638?

The vulnerability exists in versions 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 of Apache Struts 2 due to incorrect exception handling in the Jakarta Multipart parser. Attackers can exploit this flaw to execute commands remotely by sending a crafted HTTP header.

The Impact of CVE-2017-5638

This vulnerability enables attackers to remotely execute arbitrary commands on affected systems by exploiting the flawed Jakarta Multipart parser in Apache Struts 2. The exploit was observed being actively used in the wild in March 2017.

Technical Details of CVE-2017-5638

The technical aspects of the vulnerability are as follows:

Vulnerability Description

Incorrect exception handling and error-message generation during file-upload attempts
Allows remote attackers to execute arbitrary commands

Affected Systems and Versions

Apache Struts 2 versions 2.3.x before 2.3.32
Apache Struts 2 versions 2.5.x before 2.5.10.1

Exploitation Mechanism

Attackers can exploit the vulnerability by sending a crafted HTTP header containing a #cmd= string

Mitigation and Prevention

To address CVE-2017-5638, consider the following steps:

Immediate Steps to Take

Apply security patches provided by Apache Software Foundation
Implement network-level controls to filter out malicious HTTP headers
Monitor network traffic for signs of exploitation

Long-Term Security Practices

Regularly update and patch Apache Struts installations
Conduct security audits and penetration testing to identify vulnerabilities
Educate developers and administrators on secure coding practices

Patching and Updates

Apache Software Foundation released patches to address the vulnerability
Ensure timely application of security updates to mitigate the risk of exploitation