Lucene search

K
certCERTVU:834067
HistoryMar 14, 2017 - 12:00 a.m.

Apache Struts 2 is vulnerable to remote code execution

2017-03-1400:00:00
www.kb.cert.org
787

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.975

Percentile

100.0%

Overview

Apache Struts, versions 2.3.5 - 2.3.31 and 2.5 - 2.5.10, is vulnerable to code injection leading to remote code execution (RCE).

Description

CWE-94: Improper Control of Generation of Code - CVE-2017-5638

An attacker can execute arbitrary OGNL code included in the “Content-Type” header of a file upload.

This vulnerability is actively being exploited.


Impact

An unauthenticated remote attacker can execute arbitrary commands with the privileges of the user running Apache Struts.


Solution

Apply an update
Update to Apache Struts 2.3.32 or 2.5.10.1


If you are unable to update Struts, please see the workaround suggested by Apache here.


Vendor Information

834067

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apache Struts Affected

Updated: March 14, 2017

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 8.7 E:H/RL:OF/RC:C
Environmental 8.7 CDP:N/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This document was written by Trent Novelly.

Other Information

CVE IDs: CVE-2017-5638
Date Public: 2017-03-06 Date First Published:

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.975

Percentile

100.0%