CVE-2017-5638 : The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x be

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Published 2017-03-11 02:59:00

Updated 2025-02-06 22:15:32

Source Apache Software Foundation

View at NVD, CVE.org

Products affected by CVE-2017-5638

HP » Server Automation » Version: 9.1.0
cpe:2.3:a:hp:server_automation:9.1.0:*:*:*:*:*:*:*
Matching versions
HP » Server Automation » Version: 10.0.0
cpe:2.3:a:hp:server_automation:10.0.0:*:*:*:*:*:*:*
Matching versions
HP » Server Automation » Version: 10.1.0
cpe:2.3:a:hp:server_automation:10.1.0:*:*:*:*:*:*:*
Matching versions
HP » Server Automation » Version: 10.2.0
cpe:2.3:a:hp:server_automation:10.2.0:*:*:*:*:*:*:*
Matching versions
HP » Server Automation » Version: 10.5.0
cpe:2.3:a:hp:server_automation:10.5.0:*:*:*:*:*:*:*
Matching versions
IBM » Storwize V7000 Firmware » Version: 7.7.1.6
cpe:2.3:o:ibm:storwize_v7000_firmware:7.7.1.6:*:*:*:*:*:*:*
Matching versions
When used together with: IBM » Storwize V7000 » Version: N/A
IBM » Storwize V7000 Firmware » Version: 7.8.1.0
cpe:2.3:o:ibm:storwize_v7000_firmware:7.8.1.0:*:*:*:*:*:*:*
Matching versions
When used together with: IBM » Storwize V7000 » Version: N/A
IBM » Storwize V5000 Firmware » Version: 7.7.1.6
cpe:2.3:o:ibm:storwize_v5000_firmware:7.7.1.6:*:*:*:*:*:*:*
Matching versions
When used together with: IBM » Storwize V5000 » Version: N/A
IBM » Storwize V5000 Firmware » Version: 7.8.1.0
cpe:2.3:o:ibm:storwize_v5000_firmware:7.8.1.0:*:*:*:*:*:*:*
Matching versions
When used together with: IBM » Storwize V5000 » Version: N/A
IBM » Storwize V3500 Firmware » Version: 7.7.1.6
cpe:2.3:o:ibm:storwize_v3500_firmware:7.7.1.6:*:*:*:*:*:*:*
Matching versions
When used together with: IBM » Storwize V3500 » Version: N/A
IBM » Storwize V3500 Firmware » Version: 7.8.1.0
cpe:2.3:o:ibm:storwize_v3500_firmware:7.8.1.0:*:*:*:*:*:*:*
Matching versions
When used together with: IBM » Storwize V3500 » Version: N/A
Apache » Struts
Versions from including (>=) 2.2.3 and before (<) 2.3.32
cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
Matching versions
Apache » Struts
Versions from including (>=) 2.5.0 and before (<) 2.5.10.1
cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
Matching versions
Oracle » Weblogic Server » Version: 10.3.6.0.0
cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Weblogic Server » Version: 12.1.3.0.0
cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Weblogic Server » Version: 12.2.1.1.0
cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*
Matching versions
Oracle » Weblogic Server » Version: 12.2.1.2.0
cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*
Matching versions
Lenovo » Storage V5030 Firmware » Version: 7.7.1.6
cpe:2.3:o:lenovo:storage_v5030_firmware:7.7.1.6:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Storage V5030 » Version: N/A
Lenovo » Storage V5030 Firmware » Version: 7.8.1.0
cpe:2.3:o:lenovo:storage_v5030_firmware:7.8.1.0:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Storage V5030 » Version: N/A
Arubanetworks » Clearpass Policy Manager
Versions before (<) 6.6.5
cpe:2.3:a:arubanetworks:clearpass_policy_manager:*:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Balance » Version: N/A
cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
Matching versions

CVE-2017-5638 is in the CISA Known Exploited Vulnerabilities Catalog

This issue is known to have been leveraged as part of a ransomware campaign.

CISA vulnerability name:

Apache Struts Remote Code Execution Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

Apache Struts Jakarta Multipart parser allows for malicious file upload using the Content-Type value, leading to remote code execution.

Notes:

https://nvd.nist.gov/vuln/detail/CVE-2017-5638

Added on 2021-11-03 Action due date 2022-05-03

Exploit prediction scoring system (EPSS) score for CVE-2017-5638

EPSS FAQ

95.86%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2017-5638

Apache Struts Jakarta Multipart Parser OGNL Injection

Disclosure Date: 2017-03-07

First seen: 2020-04-26

exploit/multi/http/struts2_content_type_ognl

This module exploits a remote code execution vulnerability in Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed via http Content-Type header. Native payloads will be converted to executables and dropped in the ser

More information

CVSS scores for CVE-2017-5638

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
10.0	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	3.9	6.0	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-06
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST	2024-07-25
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-5638

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)
CWE-755 Improper Handling of Exceptional Conditions

The product does not handle or incorrectly handles an exceptional condition.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2017-5638

https://security.netapp.com/advisory/ntap-20170310-0001/

CVE-2017-5638 Apache Struts Vulnerability in Multiple NetApp Products | NetApp Product Security
Third Party Advisory
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt

Third Party Advisory
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us

HPESBHF03723 rev.1 - HPE Aruba ClearPass Policy Manager, using Apache Struts, Remote Code Execution
Third Party Advisory
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E

Re: Apache Software Foundation Security Report: 2020-Apache Mail Archives
Mailing List

CVEs referencing this url
http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html

Apache Struts Vulnerability Exposes Sites to Attack
Press/Media Coverage;Third Party Advisory
https://struts.apache.org/docs/s2-046.html

S2-046 - DEPRECATED: Apache Struts 2 Documentation - Apache Software Foundation
Mitigation;Vendor Advisory
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E

Apache Software Foundation Security Report: 2019 - Pony Mail

CVEs referencing this url
https://github.com/rapid7/metasploit-framework/issues/8064

CVE-2017-5638 - Apache Struts2 S2-045 · Issue #8064 · rapid7/metasploit-framework · GitHub
Exploit;Issue Tracking
http://www.securityfocus.com/bid/96729

Apache Struts CVE-2017-5638 Remote Code Execution Vulnerability
Broken Link;Third Party Advisory;VDB Entry
http://www.securitytracker.com/id/1037973

Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System - SecurityTracker
Broken Link;Third Party Advisory;VDB Entry
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us

HPESBGN03749 rev.1 - HPE Server Automation, using Apache Struts, Remote Code Execution
Third Party Advisory
https://twitter.com/theog150/status/841146956135124993

og150 on Twitter: "Oh dear lord no....... Surely the 'Guest Self Registration' Cisco ISE portal isn't vulnerable :-| #ApacheStruts CVE-2017-5638… https://t.co/sOSxrn4Xoj"
Broken Link;Third Party Advisory
https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt

Struts2 S2-045 Remote Command Execution ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
https://isc.sans.edu/diary/22169

InfoSec Handlers Diary Blog - Critical Apache Struts 2 Vulnerability (Patch Now!)
Exploit;Third Party Advisory
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us

HPESBGN03733 rev.1 - HPE Universal CMDB using Apache Struts, Remote Code Execution
Broken Link
https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html

http-vuln-cve2017-5638 NSE Script
Exploit;Third Party Advisory
https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a

Broken Link
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/

CVE-2017-5638: Apache Struts 2 Vulnerability Leads to Remote Code Execution - TrendLabs Security Intelligence Blog
Exploit;Third Party Advisory
https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519a

ASF Git Repos
Patch
https://exploit-db.com/exploits/41570

Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution
Exploit;Third Party Advisory;VDB Entry
https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228

ASF Git Repos
Patch
https://cwiki.apache.org/confluence/display/WW/S2-045

S2-045 - DEPRECATED: Apache Struts 2 Documentation - Apache Software Foundation
Mitigation;Vendor Advisory
https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/

Critical vulnerability under “massive” attack imperils high-impact sites [Updated] | Ars Technica
Exploit;Press/Media Coverage
https://cwiki.apache.org/confluence/display/WW/S2-046

S2-046 - DEPRECATED: Apache Struts 2 Documentation - Apache Software Foundation
Mitigation;Vendor Advisory
https://support.lenovo.com/us/en/product_security/len-14200

Apache Struts Open Source Framework Remote Code Execution - US
Third Party Advisory
https://struts.apache.org/docs/s2-045.html

S2-045 - DEPRECATED: Apache Struts 2 Documentation - Apache Software Foundation
Mitigation;Vendor Advisory
https://www.symantec.com/security-center/network-protection-security-advisories/SA145

SA145 : Apache Struts 2 RCE Vulnerability
Broken Link
https://github.com/mazen160/struts-pwn

GitHub - mazen160/struts-pwn: An exploit for Apache Struts CVE-2017-5638
Exploit
https://www.kb.cert.org/vuls/id/834067

VU#834067 - Apache Struts 2 is vulnerable to remote code execution
Third Party Advisory;US Government Resource
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E

Re: Apache Software Foundation Security Report: 2020 - Pony Mail

CVEs referencing this url
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E

Apache Software Foundation Security Report: 2020 - Pony Mail

CVEs referencing this url
http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html

Talos Blog || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Content-Type: Malicious - New Apache Struts2 0-day Under Attack
Exploit;Third Party Advisory
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

Apache Software Foundation Security Report: 2019-Apache Mail Archives
Mailing List

CVEs referencing this url
https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228

Broken Link
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Oracle Critical Patch Update - July 2017
Patch;Third Party Advisory

CVEs referencing this url
https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/

Page not found | Blog
Third Party Advisory
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E

Apache Software Foundation Security Report: 2020-Apache Mail Archives
Mailing List

CVEs referencing this url
https://www.exploit-db.com/exploits/41614/

Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - 'Jakarta' Multipart Parser OGNL Injection (Metasploit)
Exploit;Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2017-5638