Date: Tue, 19 Mar 2024 05:26:28 +0000 (UTC) Message-ID: <780152936.54365.1710825988446@cwiki-he-fi.apache.org> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_54364_541802673.1710825988446" ------=_Part_54364_541802673.1710825988446 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Who should read this |
All Struts 2 developers and users |
---|---|
Impact of vulnerability |
Possible RCE when performing file upload |
Maximum security rating |
Critical |
Recommendation |
Upgrade to Struts 2.3.32 or Struts 2.5.10.1 |
Affected Software |
Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - |
Reporter |
Nike Zheng <nike dot zheng at dbappsecurit= y dot com dot cn> |
CVE Identifier |
CVE-2017-5638 |
It is possible to perform a RCE attack with a malicious Conte=
nt-Type
value. If the Content-Type
value isn'=
t valid an exception is thrown which is then used to display an error messa=
ge to a user.
If you are using Jakarta based file upload Multipart parser, upgrade to = Apache Struts version 2.3.32 or 2.5.10.1. You can also switch to a differen= t implementation of the Mult= ipart parser.
No backward incompatibility issues are expected.
Implement a Servlet filter which will validate Content-Type
=
and throw away request with suspicious values not matching multipart/form-data
.
Other option is to remove the File Upload Interceptor from the stack, just defi= ne your own custom stack and set it as a default - please read How do we configure an Interceptor to be used with every A= ction. This will work only for Struts 2.5.8 - 2.5.10.
<intercept= ors> <interceptor-stack name=3D"defaultWithoutUpload"> <interceptor-ref name=3D"exception"/> <interceptor-ref name=3D"alias"/> <interceptor-ref name=3D"servletConfig"/> <interceptor-ref name=3D"i18n"/> <interceptor-ref name=3D"prepare"/> <interceptor-ref name=3D"chain"/> <interceptor-ref name=3D"scopedModelDriven"/> <interceptor-ref name=3D"modelDriven"/> <interceptor-ref name=3D"checkbox"/> <interceptor-ref name=3D"datetime"/> <interceptor-ref name=3D"multiselect"/> <interceptor-ref name=3D"staticParams"/> <interceptor-ref name=3D"actionMappingParams"/> <interceptor-ref name=3D"params"/> <interceptor-ref name=3D"conversionError"/> <interceptor-ref name=3D"validation"> <param name=3D"excludeMethods">input,back,cancel,browse&l= t;/param> </interceptor-ref> <interceptor-ref name=3D"workflow"> <param name=3D"excludeMethods">input,back,cancel,browse&l= t;/param> </interceptor-ref> <interceptor-ref name=3D"debugging"/> </interceptor-stack> </interceptors> <default-interceptor-ref name=3D"defaultWithoutUpload"/>