Critical Apache Struts 2.x Vulnerability | Information Security at York

Summary

A critical vulnerability has been discovered and released in the Apache Struts 2 framework.

Impact

This vulnerability allows for unauthenticated, remote code execution on the server. Further, there are at least two known public exploits for this vulnerability [2] and ISP has already started to see scanning and exploit attempts against campus systems.

Vulnerable

Apache Struts 2.3.5 - Struts 2.3.31 [3]
Apache Struts 2.5 - Struts 2.5.10

Recommendations

Upgrade to Struts 2.3.32 or Struts 2.5.10.1
Implement a Servlet filter to validate Content-Type and throw away request with suspicious values not matching multipart/form-data.

References

[1] https://cwiki.apache.org/confluence/display/WW/S2-045
[2] https://arstechnica.com/security/2017/03/critical-vulnerability-under-ma...
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638