⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-05-03.

CVE-2017-5638

CWE-755Improper Exception HandlingCWE-20Improper Input Validation32 documents21 sources
Severity
9.8CRITICAL
EPSS
94.3%
top 0.06%
CISA KEV
KEVRansomware
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
9
Apache StrutsArubanetworks Clearpass Policy ManagerApache Software Foundation Apache Struts+6 more
Timeline
PublishedMar 11
KEV addedNov 3
KEV dueMay 3
Latest updateJul 21
CISA Required Action: Apply updates per vendor instructions.

Description

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages10 packages

NVDapache/struts2.2.32.3.32+1
Mavenorg.apache.struts:struts2-core2.3.02.3.32+1
CVEListV5apache_software_foundation/apache_struts2.3.x before 2.3.32, 2.5.x before 2.5.10.1+1
NVDhp/server_automation5 versions+4

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
Apache Struts vulnerable to remote arbitrary command execution due to improper input validation2018-10-18
GHSA
Apache Struts vulnerable to remote arbitrary command execution due to improper input validation2018-10-18
CVEList
CVE-2017-5638: The Jakarta Multipart parser in Apache Struts 2 22017-03-11
VulnCheck
Apache Struts Remote Code Execution Vulnerability2017

💥Exploits & PoCs

3
Exploit-DB
Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - 'Jakarta' Multipart Parser OGNL Injection (Metasploit)2017-03-15
Exploit-DB
Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution2017-03-07
Nuclei
Apache Struts 2 - Remote Command Execution

🔍Detection Rules

5
Suricata
ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M12017-03-20
Suricata
ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) M32017-03-13
Suricata
ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) M22017-03-10
Suricata
ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638)2017-03-08
Sigma
Potential OGNL Injection Exploitation In JVM Based Application

📋Vendor Advisories

3
CISA
Apache Struts Remote Code Execution Vulnerability2021-11-03
Cisco
Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability Affecting Cisco Products2017-03-11
Red Hat
struts2: RCE when performing file upload based on Jakarta Multipart parser2017-03-06

🕵️Threat Intelligence

9
Unit42
Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report2022-07-21
Unit42
Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall2018-09-10
Tenable
Apache Struts Jakarta Remote Code Execution (CVE-2017-5638) Detection with Nessus2017-03-14
Qualys
CVE-2017-5638 Apache Struts Vulnerability | Qualys2017-03-14
Trendmicro
Apache Struts 2 Vulnerability Leads to RCE2017-03-09

📄Research Papers

1
arXiv
Linking Threat Tactics, Techniques, and Patterns with Defensive Weaknesses, Vulnerabilities and Affected Platform Configurations for Cyber Hunting2021-02-10

💬Community

1
Bugzilla
CVE-2017-5638 struts2: RCE when performing file upload based on Jakarta Multipart parser2017-03-08
CVE-2017-5638 (CRITICAL CVSS 9.8) | The Jakarta Multipart parser in Apa | cvebase.io