You are here

Apache Struts2: Remote Code Execution (S2-045)

CVE-2017-5638, S2-045
struts2, OGNL

An Apache Struts2 vulnerability has been released which allows remote code execution by injecting a special crafted content type HTTP header [1].

Affected versions:
Apache Struts 2.3.5 – 2.3.31
Apache Struts 2.5 – 2.5.10

Airlock WAF is not affected because Apache Struts2 is not installed/used.


If you are using a vulnerable Apache Struts2 version on a back-end application we strongly recommend to update Struts2 to version 2.3.32/ or higher or to apply the workaround described in [1].

If you can't update Struts2 or apply the workaround you can create a virtual patch for this vulnerability on Airlock WAF by configuring a deny rule with the following settings on the affected mapping.

Header Name Pattern: Content-Type
Case-sensitivity: off
Invert: off

Header Value Pattern: [%$]\{
Case-sensitivity: on
Invert: off
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Airlock protects, requires changes in configuration