Struts Vulnerability [CVE-2017-5638]

Vulnerability Overview:

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.

Details:

The vulnerability exists in Jakarta multipart parser. If the content-type header of an application using vulnerablle struts framework is supplied with an invalid value, it throws an exception. The exception is used to show error to the user. An attacker can exploit this vulnerability to escape the data scope into execution scope through content-type header. The ÔÇÿContent-typeÔÇÖ HTTP header is injected with arbitrary commands in the field #cmd. The injected command gets executed on the vulnerable servers.

Recommended Solution:

Upgrade to Struts version 2.3.32 or 2.5.10.1, or switch to a different implementation of the parser.

Workaround -
Implement a servlet which will validate content-type and throw away requests with suspicious values not matching multipart/form-data
Other option is to remove the File Upload Interceptor from the stack, just define your own custom stack and set it as a default.This will work only for Struts 2.5.8 - 2.5.10.

System Affected/Related OS and Version:

This issue affects
struts:2.5.2
struts:2.5.1
struts:2.3.6
struts:2.5.4
struts:2.3.5
struts:2.5.3
struts:2.3.8
struts:2.5.6
struts:2.3.7
struts:2.5.5
struts:2.5.8
struts:2.3.9
struts:2.5.7
struts:2.5.9
struts:2.3.11
struts:2.3.10
struts:2.3.15.1
struts:2.3.15.2
struts:2.3.28.1
struts:2.3.17
struts:2.3.16
struts:2.3.19
struts:2.3.13
struts:2.3.12
struts:2.3.15
struts:2.3.14
struts:2.3.15.3
struts:2.3.24.3
struts:2.3.24.2
struts:2.3.24.1
struts:2.3.20.3
struts:2.3.20.1
struts:2.3.20.2
struts:2.3.20
struts:2.3.22
struts:2.3.21
struts:2.3.28
struts:2.3.27
struts:2.3.29
struts:2.3.24
struts:2.3.23
struts:2.3.26
struts:2.3.25
struts:2.5
struts:2.3.31
struts:2.5.10
struts:2.3.30
struts:2.3.14.1
struts:2.3.14.2
struts:2.3.14.3
struts:2.3.16.1
struts:2.3.16.2
struts:2.3.16.3

Appendix:
External Source:MISC
http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
External Source:MISC
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638...
External Source:MISC
http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html
External Source:BID
http://www.securityfocus.com/bid/96729
External Source:MISC
https://arstechnica.com/security/2017/03/critical-vulnerability-under-ma...
External Source:CONFIRM
https://cwiki.apache.org/confluence/display/WW/S2-045
External Source:EXPLOIT-DB
https://exploit-db.com/exploits/41570
External Source:CONFIRM
https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306...
External Source:CONFIRM
https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272...
External Source:MISC
https://github.com/mazen160/struts-pwn
External Source:MISC
https://github.com/rapid7/metasploit-framework/issues/8064
External Source:MISC
https://isc.sans.edu/diary/22169
External Source:MISC
https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html
External Source:MISC
https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
External Source:MISC
https://twitter.com/theog150/status/841146956135124993
External Source:CONFIRM
https://support.lenovo.com/us/en/product_security/len-14200
External Source:MISC
https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execu...

Threat Category: