CVE-2017-5638 – Apache Struts 2 Remote Code Execution Vulnerability

  • 2
    Shares

The well-known open source web application framework Apache Struts 2 is being actively exploited in the wild allowing hackers to launch a remote code execution attack.  To address this issue, Apache has issued a security advisory and CVE-2017-5638 has been assigned to it. The zero-day bug has been rated with the highest severity rating ‘High’. The proof of concept can be found here. The open source Struts framework is being used widely by organizations across the globe making it favorable for hackers to exploit this vulnerability.

Vulnerable Versions:

  • Struts 2.3.5
  • Struts 2.3.31
  • Struts 2.5
  • Struts 2.5.10

Vulnerability

The vulnerability is triggered by sending a crafted ‘Content-Type’ HTTP header. The Jakarta multipart parser fails to validate the file upload which allows attackers to carry out the remote code execution. The ‘Content-type’ HTTP header is injected with arbitrary commands in the field #cmd. The injected command gets executed on the vulnerable servers.

Fig 1. Vulnerability

Fig 1. Vulnerability

Quick Heal Detections

Quick Heal has released the following IPS detection for the vulnerability CVE-2017-5638.

  • VID-01568: Apache Struts Remote Code Execution vulnerability

Some of the reported payloads dropped by exploiting this vulnerability have been detected by Quick Heal as:

  • Backdoor.Linux.Setag.E
  • TrojanXor.Linux.DDos.A

Conclusion

The high-profile zero-day vulnerability is currently patched by Apache Struts. We strongly recommend users to upgrade their Apache Struts installation to Struts 2.3.32 or Struts 2.5.10.1 as per the advisory and also apply the latest security updates by Quick Heal.

ACKNOWLEDGEMENT

• Vishal Singh
• Pradeep Kulkarni
– Threat Research and Response Team

Pradeep Kulkarni

Pradeep Kulkarni


No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image