Blog

Pradeep Kulkarni
CVE-2017-5638 – Apache Struts 2 Remote Code Execution Vulnerability
March 14, 2017

The well-known open source web application framework Apache Struts 2 is being actively exploited in the wild allowing hackers to launch a remote code execution attack.  To address this issue, Apache has issued a security advisory and CVE-2017-5638 has been assigned to it. The zero-day bug has been rated with the highest severity rating ‘High’. The proof of concept can be found here. The open source Struts framework is being used widely by organizations across the globe making it favorable for hackers to exploit this vulnerability.

Vulnerable Versions:

  • Struts 2.3.5
  • Struts 2.3.31
  • Struts 2.5
  • Struts 2.5.10

Vulnerability

The vulnerability is triggered by sending a crafted ‘Content-Type’ HTTP header. The Jakarta multipart parser fails to validate the file upload which allows attackers to carry out the remote code execution. The ‘Content-type’ HTTP header is injected with arbitrary commands in the field #cmd. The injected command gets executed on the vulnerable servers.

Fig 1. Vulnerability

Fig 1. Vulnerability

Quick Heal Detections

Quick Heal has released the following IPS detection for the vulnerability CVE-2017-5638.

  • VID-01568: Apache Struts Remote Code Execution vulnerability

Some of the reported payloads dropped by exploiting this vulnerability have been detected by Quick Heal as:

  • Backdoor.Linux.Setag.E
  • TrojanXor.Linux.DDos.A

Conclusion

The high-profile zero-day vulnerability is currently patched by Apache Struts. We strongly recommend users to upgrade their Apache Struts installation to Struts 2.3.32 or Struts 2.5.10.1 as per the advisory and also apply the latest security updates by Quick Heal.

ACKNOWLEDGEMENT

• Vishal Singh
• Pradeep Kulkarni
– Threat Research and Response Team

SHARE THIS STORY

Have something to add to this story? Share it in the comments.

Pradeep Kulkarni
About Pradeep Kulkarni
Pradeep Kulkarni is leading the IPS team in Quick Heal Technologies Limited. Having worked in the IT security industry for over 11 years, he has worked on various...
Articles by Pradeep Kulkarni »

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image