SummaryPossible Remote Code Execution when performing file upload based on Jakarta Multipart parser.
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possible RCE when performing file upload based on Jakarta Multipart parser
Maximum security rating
Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
Nike Zheng <nike dot zheng at dbappsecurity dot com dot cn>
It is possible to perform a RCE attack with a malicious
Content-Type value. If the
Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.
If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 126.96.36.199. You can also switch to a different implementation of the Multipart parser.
No backward incompatibility issues are expected.
Implement a Servlet filter which will validate
Content-Type and throw away request with suspicious values not matching
Other option is to remove the File Upload Interceptor from the stack, just define your own custom stack and set it as a default - please read How do we configure an Interceptor to be used with every Action. This will work only for Struts 2.5 - 2.5.10.