Vulnerability Details : CVE-2017-5638
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Vulnerability category: Input validation
At least one public exploit which can be used to exploit this vulnerability exists!
CVE-2017-5638
is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Apache Struts Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Apache Struts Jakarta Multipart parser allows for malicious file upload using the Content-Type value, leading to remote code execution.
Added on
2021-11-03
Action due date
2022-05-03
Exploit prediction scoring system (EPSS) score for CVE-2017-5638
Probability of exploitation activity in the next 30 days: 97.54%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2017-5638
-
Apache Struts Jakarta Multipart Parser OGNL Injection
Disclosure Date: 2017-03-07First seen: 2020-04-26exploit/multi/http/struts2_content_type_ognlThis module exploits a remote code execution vulnerability in Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed via http Content-Type header. Native payloads will be converted to executables and dropped in the ser
CVSS scores for CVE-2017-5638
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
nvd@nist.gov |
|
10.0
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
3.9
|
6.0
|
nvd@nist.gov |
CWE ids for CVE-2017-5638
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-5638
-
https://security.netapp.com/advisory/ntap-20170310-0001/
CVE-2017-5638 Apache Struts Vulnerability in Multiple NetApp Products | NetApp Product Security
-
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt
-
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us
HPESBHF03723 rev.1 - HPE Aruba ClearPass Policy Manager, using Apache Struts, Remote Code Execution
-
http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html
Apache Struts Vulnerability Exposes Sites to AttackPress/Media Coverage
-
https://struts.apache.org/docs/s2-046.html
S2-046 - DEPRECATED: Apache Struts 2 Documentation - Apache Software Foundation
-
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
Apache Software Foundation Security Report: 2019 - Pony Mail
-
https://github.com/rapid7/metasploit-framework/issues/8064
CVE-2017-5638 - Apache Struts2 S2-045 · Issue #8064 · rapid7/metasploit-framework · GitHubExploit
-
http://www.securityfocus.com/bid/96729
Apache Struts CVE-2017-5638 Remote Code Execution VulnerabilityThird Party Advisory;VDB Entry
-
http://www.securitytracker.com/id/1037973
Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System - SecurityTracker
-
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us
HPESBGN03749 rev.1 - HPE Server Automation, using Apache Struts, Remote Code Execution
-
https://twitter.com/theog150/status/841146956135124993
og150 on Twitter: "Oh dear lord no....... Surely the 'Guest Self Registration' Cisco ISE portal isn't vulnerable :-| #ApacheStruts CVE-2017-5638… https://t.co/sOSxrn4Xoj"Third Party Advisory
-
https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
Struts2 S2-045 Remote Command Execution ≈ Packet StormExploit;VDB Entry
-
https://isc.sans.edu/diary/22169
InfoSec Handlers Diary Blog - Critical Apache Struts 2 Vulnerability (Patch Now!)Technical Description;Third Party Advisory
-
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us
HPESBGN03733 rev.1 - HPE Universal CMDB using Apache Struts, Remote Code Execution
-
https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html
http-vuln-cve2017-5638 NSE ScriptThird Party Advisory
-
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/
CVE-2017-5638: Apache Struts 2 Vulnerability Leads to Remote Code Execution - TrendLabs Security Intelligence BlogTechnical Description;Third Party Advisory
-
https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519a
ASF Git ReposPatch
-
https://exploit-db.com/exploits/41570
Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code ExecutionExploit;VDB Entry
-
https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228
ASF Git ReposPatch
-
https://cwiki.apache.org/confluence/display/WW/S2-045
S2-045 - DEPRECATED: Apache Struts 2 Documentation - Apache Software FoundationMitigation;Vendor Advisory
-
https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/
Critical vulnerability under “massive” attack imperils high-impact sites [Updated] | Ars TechnicaPress/Media Coverage
-
https://cwiki.apache.org/confluence/display/WW/S2-046
S2-046 - DEPRECATED: Apache Struts 2 Documentation - Apache Software Foundation
-
https://support.lenovo.com/us/en/product_security/len-14200
Apache Struts Open Source Framework Remote Code Execution - US
-
https://struts.apache.org/docs/s2-045.html
S2-045 - DEPRECATED: Apache Struts 2 Documentation - Apache Software Foundation
-
https://www.symantec.com/security-center/network-protection-security-advisories/SA145
SA145 : Apache Struts 2 RCE Vulnerability
-
https://github.com/mazen160/struts-pwn
GitHub - mazen160/struts-pwn: An exploit for Apache Struts CVE-2017-5638Exploit
-
https://www.kb.cert.org/vuls/id/834067
VU#834067 - Apache Struts 2 is vulnerable to remote code execution
-
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E
Re: Apache Software Foundation Security Report: 2020 - Pony Mail
-
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E
Apache Software Foundation Security Report: 2020 - Pony Mail
-
http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
Talos Blog || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Content-Type: Malicious - New Apache Struts2 0-day Under AttackTechnical Description;Third Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Oracle Critical Patch Update - July 2017
-
https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/
Page not found | Blog
-
https://www.exploit-db.com/exploits/41614/
Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - 'Jakarta' Multipart Parser OGNL Injection (Metasploit)
Products affected by CVE-2017-5638
- cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:*