Apache Struts2 Jakarta Multipart Parser Vulnerability (CVE-2017-5638)
The vulnerability exists within the Jakarta Multipart parser in Apache Struts. It is trivial to exploit the vulnerability and exploit code has been released publicly. The vulnerability exploits the Content-Type in a Struts application action to perform command execution.
Exposure and Impact
Successful exploitation of this vulnerability can lead to direct command execution in the context of the user running the service. This is a true remote vulnerability that can be leveraged against a service running on the system.
Remediation & Mitigation
Apache recommends the following remediation and mitigation options:
- Upgrade to Apache Struts version 2.3.32 or 126.96.36.199.
- Switch from the Jakarta parser to the Pell parser.
- Create a Servlet filter to reject Content-Type values are unexpected.
Tripwire is planning to release coverage for this CVE in ASPL-715.