Summary
Possible Remote Code Execution when performing file upload based on Jakarta pluginWho should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | Possible RCE when performing file upload based on Jakarta plugin |
Maximum security rating | High |
Recommendation | Upgrade to Struts 2.3.32 or Struts 2.5.10.1 |
Affected Software | Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10 |
Reporter | Nike Zheng <nike dot zheng at dbappsecurity dot com dot cn> |
CVE Identifier | CVE-2017-5638 |
Problem
It is possible to perform a RCE attack with malicious a Content-Type value. If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.
Solution
If you are using Jakarta based file upload plugin, upgrade to Apache Struts version 2.3.32 or 2.5.10.1
Backward compatibility
No backward incompatibility issues are expected.
Workaround
Implement a Servlet filter which will validate Content-Type and throw away request with suspicious values not matching multipart/form-data.