CVE-2017-5638: Apache Struts 2 Vulnerability Leads to Remote Code Execution

By | March 9, 2017

Apache Struts is a free and open-source framework used to assemble Java internet applications. We seemed into previous a quantity of Remote Code Execution (RCE) vulnerabilities reported in Apache Struts, and noticed that in most of them, attackers have used Object Graph Navigation Language (OGNL) expressions. The use of OGNL makes it simple to execute arbitrary code remotely as a consequence of Apache Struts makes use of it for lots of its processes.

Using OGNL, a researcher found a mannequin new distant code execution vulnerability in Apache Struts 2, designated as CVE-2017-5638. An exploit has been reported to be already inside the wild; our personal evaluation and monitoring have additionally seen assaults using the vulnerability.

Attack Scenario

This particular vulnerability will be exploited if the attacker sends a crafted request to add a file to a susceptible server that makes use of a Jakarta-based plugin to course of the add request.

The attacker can then ship malicious code inside the Content-Type header to execute the command on a susceptible server. A proof of concept that demonstrates the assault state of affairs is publicly available.

Vulnerability Dissection

We took a extra in-depth have a look on the patch to further understand the vulnerability and located that the vendor eliminated the utilization of Class “LocalizedTextUtil” from This was meant to current an error message to the consumer if the file upload, using multipart HTTP request, isn’t successful.

Figure 1: Patch diff code snapshot

To current an acceptable error message to the user, it used the function “findText” outlined in LocalizedTextUtil to parse the error key message and get the defined error message for it.

Figure 2: Defined error messages in Apache Struts’ File Upload function

The findText function definition is:

public static String findText(Class aClass, String aTextName,
Locale locale, String defaultMessage, Object[] args )

This function finds a domestically saved textual content material message for the given error key handed in variable “aTextName”. The parameters are:

aClass: FileUploadInterceptor passes the error class to make the most of as a consequence of the start level of the error message search

aTextName: the error key used to get hold of the error message for it

Locale: the locale the place the message is saved for the respective error key

defaultMessage: the message to be returned if no textual content material message will be current in any useful resource bundle

args: the error arguments’ useful resource bundle

If the message is found, these will likely be dealt with as an OGNL expression and evaluated as such. So, if an attacker passes the OGNL expression in Content-Type header with “multipart/form-data”, it is going to be evaluated and will assist the attacker to execute arbitrary code remotely.

To repair this issue, the vendor has eliminated the utilization of sophistication “LocalizedTextUtil”, collectively with “”, which might even be utilized to output the RCE consequence to the attacker.

Apache Struts variations Struts 2.3.5 – Struts 2.3.31, Struts 2.5 – Struts 2.5.10 are reported to be affected. If you are using the Jakarta-based file add Multipart parser, upgrading to Apache Struts mannequin 2.3.32 or is recommended. You can additionally change to a different implementation of the Multipart parser.

Trend Micro Solutions 

Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects endpoints from threats that exploit vulnerabilities. OfficeScan’s Vulnerability Protection shields endpoints from recognized and unknown vulnerability exploits even earlier than patches are even deployed. Trend Micro™ Deep Discovery™ gives detection, in-depth analysis, and proactive response to assaults using exploits and utterly different associated threats by way of specialised engines, custom sandboxing, and seamless correlation throughout your full assault lifecycle, permitting it to detect these kinds of assaults even with none engine or pattern update.

Deep Security™ gives protection from any threats that will target this vulnerability via the following DPI rule:

1008207 – Apache Struts2 Remote Code Execution Vulnerability (CVE-2017-5638)

Deep Discovery Inspector protects prospects from this menace by way of this DDI Rule:

Beta Rule ID: 3421 – CVE-2017-5638_HTTP_APACHESTRUTS_EXPLOIT

TippingPoint prospects are protected in the direction of this menace by way of these Custom Shield Writer (CSW) and MainlineDV filters:

CSW: HTTP: Apache Struts Content-type Command Injection Vulnerability (CVE-2017-5638)
27410: HTTP: Apache Struts Content-type Command Injection Vulnerability (CVE-2017-5638)

CVE-2017-5638: Apache Struts 2 Vulnerability Leads to Remote Code Execution

Please check this great service at: or visit FREE SERVICES menu

[Total: 1    Average: 3/5]