Lucene search

K
cloudfoundryCloud FoundryCFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350
HistoryMar 14, 2017 - 12:00 a.m.

CVE-2017-5638: Apache Struts Remote Code Execution | Cloud Foundry

2017-03-1400:00:00
Cloud Foundry
www.cloudfoundry.org
81

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

Severity

Advisory/Critical

Vendor

Apache

Versions Affected

  • Apache Struts 2:
    • 2.3.x versions prior to 2.3.32
    • 2.5.x versions prior to 2.5.10.1

Description

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 [1] mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017 [2].

Affected Cloud Foundry Products and Versions

  • The Cloud Foundry team has determined that core releases do not package Apache Struts.
  • However, particular applications deployed on Cloud Foundry may depend on Apache Struts 2. This vulnerability should be mitigated on the application level as soon as possible by following the steps outlined in the Struts documentation [3].

Mitigation

  • The Cloud Foundry team has determined that the project is not exposed to this particular vulnerability and therefore does not require any Cloud Foundry-specific upgrades.
  • However, particular applications deployed on Cloud Foundry may depend on Apache Struts 2. This vulnerability should be mitigated on the application level as soon as possible by following the steps outlined in the Struts documentation [3].

Credit

Nike Zheng

References

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%