Overview
An unauthenticated remote code execution vulnerability in the Apache Struts 2 package has been publicly reported which allows a remote user to execute arbitrary commands on target systems.
The vulnerability allows an unauthenticated attacker to execute code remotely on a vulnerable system through the use of a specially crafted Content-Type header. The attack code will be executed with the permission of the web server user. Attack tools exist publicly and this vulnerability is being actively exploited.
Details
CVE Reference: CVE-2017-5638
Date: March 9th, 2017
Reissue Date: September 18th, 2017
Status: Confirmed
Fix Available: Yes
Impact: Possible Remote Code Execution when performing file uploads based on Apache Struts Jakarta Multipart parser.
Security Rating: CRITICAL
Affected Software
Struts 2.3.5 – Struts 2.3.31, Struts 2.5 – Struts 2.5.10
Recommended Remediation
Upgrade to Struts 2.3.32 or Struts 2.5.10.1. Visit the vendor’s website struts.apache.org/docs/s2-045.html for more information regarding this vulnerability.
Underlying Affected Products
Underlying products or system components from other vendors can potentially be affected by this vulnerability. Table 1 below provides a listing of those vendors who have issued fixes for affected products potentially vulnerable to exploits described in this advisory.
We highly recommend you visit the vendor’s website for those products and or system components that are applicable to your environment and infrastructure for more specific information on how best to fix the vulnerability.
VENDOR | PRODUCTS | WEBSITE |
---|---|---|
Cisco | Various | https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2 |
VMWare | Various | http://www.vmware.com/security/advisories/VMSA-2017-0004.html |
HPE | Universal Configuration Management Database |
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03733en_us |
HPe Server Automation | http://h20565.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03749en_us | |
Oracle | WebLogic Fusion Middleware Siebel Enterprise |
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html |