[Vulnerability Alert] Remote Code Execution Vulnerability in Struts 2(S2-045)

  • Source:Sangfor Security Center
  • Date Published:2017-03-09
#

Summary

    On March, 7th, 2017, Apache released a security bulletin(S2-045) addressing a security vulnerability(CVE-2017-5638) in Struts 2. In that bulletin, it states that remote code execution will be triggered to perform operations (e.g., adding user accounts, viewing, modifying or deleting files, etc) when performing file upload based on Jakarta Multipart parser.   

    Affected software: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10

    blob.png

    QianLi Baike

    Struts2 is a popular MVC framework for creating Java Web applications. It is equivalent to a Servlet and builds a model to intact with views.

    Description

    This vulnerability will be exploited to execute system commands when a malicious user uploads file by modifying Content-Type value in HTTP request. 

    Exploits

    Several PoC scripts have been exposed on the Internet by the time the bulletin is released, which can be exploited to attack vulnerable Web applications. We have set up a testing environment and run a PoC script. The test results show that the ifconfig command has been executed, as shown below: 

    blob.png

Solution

    1.This vulnerability has been fixed in Struts 2.3.32 and Struts 2.5.10.1, which can be downloaded from the following links:

    https://dist.apache.org/repos/dist/release/struts/2.5.10.1/

    https://dist.apache.org/repos/dist/release/struts/2.3.32/ 

    2.If Sangfor NGAF appliance has been deployed in your network, update IPS vulnerability database to the version 20170307 or later to defend against attacks targeting this vulnerability.