Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2017-5638

Disclosure Date: March 11, 2017
CVE-2017-5638 CVSS v3 Base Score: 9.8
Exploited in the Wild
Reported by AttackerKB Worker and 1 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Common in enterpriseEasy to weaponizeUnauthenticatedVulnerable in default configuration
Technical Analysis

This popped Equifax. Vulnerable versions of Struts are exploitable out of the box, since this was a parser flaw. Make sure this is patched!

Log in to Add Reply
1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Common in enterpriseVulnerable in default configuration
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

  • Vulnerable Products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
  • Associated Malware: JexBoss
  • Mitigation: Upgrade to Struts 2.3.32 or Struts 2.5.10.1
Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Apache Struts 2.3.x before 2.3.32
Apache Struts 2.5.x before 2.5.10.1
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
exploit/multi/http/struts2_content_type_ognl
Reporter
Unknown

Vendors

  • apache,
  • arubanetworks,
  • hp,
  • ibm,
  • lenovo,
  • netapp,
  • oracle

Products

  • clearpass policy manager,
  • oncommand balance -,
  • server automation 10.0.0,
  • server automation 10.1.0,
  • server automation 10.2.0,
  • server automation 10.5.0,
  • server automation 9.1.0,
  • storage v5030 firmware 7.7.1.6,
  • storage v5030 firmware 7.8.1.0,
  • storwize v3500 firmware 7.7.1.6,
  • storwize v3500 firmware 7.8.1.0,
  • storwize v5000 firmware 7.7.1.6,
  • storwize v5000 firmware 7.8.1.0,
  • storwize v7000 firmware 7.7.1.6,
  • storwize v7000 firmware 7.8.1.0,
  • struts,
  • weblogic server 10.3.6.0.0,
  • weblogic server 12.1.3.0.0,
  • weblogic server 12.2.1.1.0,
  • weblogic server 12.2.1.2.0

Exploited in the Wild

Reported by:

References

Canonical
CVE-2017-5638 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638)
BID-96729 (http://www.securityfocus.com/bid/96729)
Advisory
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt
EXPLOIT-DB-41570 (https://exploit-db.com/exploits/41570)
https://security.netapp.com/advisory/ntap-20170310-0001
https://struts.apache.org/docs/s2-046.html
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us
VU#834067 (https://www.kb.cert.org/vuls/id/834067)
https://struts.apache.org/docs/s2-045.html
SECTRACK-1037973 (http://www.securitytracker.com/id/1037973)
https://www.symantec.com/security-center/network-protection-security-advisories/SA145
https://support.lenovo.com/us/en/product_security/len-14200
https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519a
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us
https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228
https://cwiki.apache.org/confluence/display/WW/S2-045
EXPLOIT-DB-41614 (https://www.exploit-db.com/exploits/41614)
https://cwiki.apache.org/confluence/display/WW/S2-046
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us
[announce] 20200131 Apache Software Foundation Security Report: 2019 (https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E)
https://security.netapp.com/advisory/ntap-20170310-0001/
EXPLOIT-DB-41614 (https://www.exploit-db.com/exploits/41614/)
[announce] 20210125 Apache Software Foundation Security Report: 2020 (https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E)
[announce] 20210223 Re: Apache Software Foundation Security Report: 2020 (https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E)
Miscellaneous
https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html
https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites
https://github.com/rapid7/metasploit-framework/issues/8064
http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2
https://isc.sans.edu/diary/22169
http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html
https://twitter.com/theog150/status/841146956135124993
https://github.com/mazen160/struts-pwn
https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution
https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/
https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis