You are here
Apache Struts2: Remote Code Execution (S2-045)
Submitted on 16. March 2017 - 16:39 by rischi.
Last update on 20. March 2017 - 9:07.
Last update on 20. March 2017 - 9:07.
IDs:
CVE-2017-5638, S2-045
Keywords:
struts2, OGNL
Description:
An Apache Struts2 vulnerability has been released which allows remote code execution by injecting a special crafted content type HTTP header [1].
Affected versions:
Apache Struts 2.3.5 – 2.3.31
Apache Struts 2.5 – 2.5.10
Airlock WAF is not affected because Apache Struts2 is not installed/used.
Resolution:
If you are using a vulnerable Apache Struts2 version on a back-end application we strongly recommend to update Struts2 to version 2.3.32/2.5.10.1 or higher or to apply the workaround described in [1].
If you can't update Struts2 or apply the workaround you can create a virtual patch for this vulnerability on Airlock WAF by configuring a deny rule with the following settings on the affected mapping.
Header Name Pattern: Content-Type
Case-sensitivity: off
Invert: off
Header Value Pattern: [%$]\{
Case-sensitivity: on
Invert: off
Component:
Airlock
Airlock Vulnerability Status:
Does not affect Airlock
Back-end Vulnerability Status:
Airlock protects, requires changes in configuration
Reference: