Critical Apache Struts 2.x Vulnerability

Summary

A critical vulnerability has been discovered and released in the Apache Struts 2 framework.

Impact

This vulnerability allows for unauthenticated, remote code execution on the server. Further, there are at least two known public exploits for this vulnerability [2] and ISP has already started to see scanning and exploit attempts against campus systems.

Vulnerable

  • Apache Struts 2.3.5 - Struts 2.3.31 [3]
  • Apache Struts 2.5 - Struts 2.5.10

Recommendations

  • Upgrade to Struts 2.3.32 or Struts 2.5.10.1
  • Implement a Servlet filter to validate Content-Type and throw away request with suspicious values not matching multipart/form-data.

References