Struts 2 Remote Code Execution Vulnerability (S2-045)
Early in the morning of 7th March, Apache announced a S2-045 vulnerability of Apache Struts2 with vulnerability number CVE-2017-5638. Struts2 Jakarta Multipart parser plug-in has a remote code execution vulnerability. An attacker could modify the Content-Type value in the HTTP request header to trigger the vulnerability when using the plug-in to upload the file, resulting in data leakage, defacement, etc., like remote execution of the code, getting administrator privileges, adding users, viewing, modifying and deleting files.
S2-045 affected version: Struts 2.3.5 - Struts 2.3.31，Struts 2.5 - Struts 2.5.10
After discovering the vulnerability, Sangfor security team in the first time developed and provided the detection and solutions to help users avoid harm, maintenance of user network security.
Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON. Struts 2 is one of the most popular Java Web application frameworks.
The attacker can malicious code through the http message header Content-Type field to the vulnerability of the server, resulting in arbitrary code execution vulnerability.
Up to now, there are a lot of vulnerability POC in the public internet, randomly select one to test in the environment, it succeeded to execute “ifconfig” command.
The official version has been released, the user is recommended to upgrade to the latest version (Struts2 2.3.32 or Struts 188.8.131.52), the download link is as follows:
Struts 2.3.32: https://github.com/apache/struts/releases/tag/STRUTS_2_3_32
Struts 184.108.40.206: https://github.com/apache/struts/releases/tag/STRUTS_2_5_10_1
Sangfor NGAF users, please update the IPS signature database to 20170307 and newer version, then the NGAF can easily defend the attacks using this vulnerability.