{"id":83992,"date":"2017-03-14T16:31:23","date_gmt":"2017-03-14T11:01:23","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=83992"},"modified":"2017-03-14T16:31:23","modified_gmt":"2017-03-14T11:01:23","slug":"cve-2017-5638-apache-struts-2-remote-code-execution-vulnerability","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/cve-2017-5638-apache-struts-2-remote-code-execution-vulnerability\/","title":{"rendered":"CVE-2017-5638 &#8211; Apache Struts 2 Remote Code Execution Vulnerability"},"content":{"rendered":"<p>The well-known open source web application framework Apache Struts 2 is being actively exploited in the wild allowing hackers to launch a remote code execution attack.\u00a0 To address this issue, Apache has issued a security <a href=\"https:\/\/cwiki.apache.org\/confluence\/display\/WW\/S2-045\">advisory<\/a> and <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-5638\">CVE-2017-5638<\/a> has been assigned to it. The zero-day bug has been rated with the highest severity rating \u2018High\u2019. The proof of concept can be found <a href=\"https:\/\/github.com\/tengzhangchao\/Struts2_045-Poc\">here<\/a>. The open source Struts framework is being used widely by organizations across the globe making it favorable for hackers to exploit this vulnerability.<\/p>\n<p><strong>Vulnerable Versions:<\/strong><\/p>\n<ul>\n<li>Struts 2.3.5<\/li>\n<li>Struts 2.3.31<\/li>\n<li>Struts 2.5<\/li>\n<li>Struts 2.5.10<\/li>\n<\/ul>\n<p><strong>Vulnerability <\/strong><\/p>\n<p>The vulnerability is triggered by sending a crafted \u2018Content-Type\u2019 HTTP header. The Jakarta multipart parser fails to validate the file upload which allows attackers to carry out the remote code execution. The \u2018Content-type\u2019 HTTP header is injected with arbitrary commands in the field #cmd. The injected command gets executed on the vulnerable servers.<\/p>\n<figure id=\"attachment_83993\" aria-describedby=\"caption-attachment-83993\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-83993 size-large\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/03\/struts-650x146.png\" alt=\"Fig 1. Vulnerability\" width=\"650\" height=\"146\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/struts-650x146.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/struts-300x68.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/struts-768x173.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/struts-789x178.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/struts.png 888w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-83993\" class=\"wp-caption-text\">Fig 1. Vulnerability<\/figcaption><\/figure>\n<p><strong>Quick Heal Detections<\/strong><\/p>\n<p>Quick Heal has released the following IPS detection for the vulnerability <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-5638\">CVE-2017-5638<\/a>.<\/p>\n<ul>\n<li>VID-01568: Apache Struts Remote Code Execution vulnerability<\/li>\n<\/ul>\n<p>Some of the reported payloads dropped by exploiting this vulnerability have been detected by Quick Heal as:<\/p>\n<ul>\n<li>Backdoor.Linux.Setag.E<\/li>\n<li>TrojanXor.Linux.DDos.A<\/li>\n<\/ul>\n<p><strong>Conclusion<\/strong><\/p>\n<p>The high-profile zero-day vulnerability is currently patched by Apache Struts. We strongly recommend users to upgrade their Apache Struts installation to <a href=\"https:\/\/cwiki.apache.org\/confluence\/display\/WW\/Version+Notes+2.3.32\">Struts 2.3.32<\/a>\u00a0or\u00a0<a href=\"https:\/\/cwiki.apache.org\/confluence\/display\/WW\/Version+Notes+2.5.10.1\">Struts 2.5.10.1<\/a> as per the advisory and also apply the latest security updates by Quick Heal.<\/p>\n<p><strong>ACKNOWLEDGEMENT<\/strong><\/p>\n<p><strong>\u2022 Vishal Singh<br \/>\n\u2022 Pradeep Kulkarni<br \/>\n<\/strong>\u2013 Threat Research and Response Team<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The well-known open source web application framework Apache Struts 2 is being actively exploited in the wild allowing hackers to launch a remote code execution attack.\u00a0 To address this issue, Apache has issued a security advisory and CVE-2017-5638 has been assigned to it. The zero-day bug has been rated with the highest severity rating \u2018High\u2019. [&hellip;]<\/p>\n","protected":false},"author":31,"featured_media":83650,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[133,24],"tags":[1409,1327,58,38,718],"class_list":["post-83992","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacker","category-malware","tag-apache","tag-cve","tag-hacking","tag-vulnerability","tag-zero-day"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/83992"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/31"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=83992"}],"version-history":[{"count":2,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/83992\/revisions"}],"predecessor-version":[{"id":83995,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/83992\/revisions\/83995"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/83650"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=83992"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=83992"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=83992"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}