Signature Detail

HTTP: Apache Struts 2 Malicious Header Remote Code Execution

This signature detects attempts to exploit a known vulnerability against Apache Struts. A successful attack can lead to arbitrary code execution.

Extended Description

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Affected Products

• Apache struts 2.3.10
• Apache struts 2.3.11
• Apache struts 2.3.12
• Apache struts 2.3.13
• Apache struts 2.3.14
• Apache struts 2.3.14.1
• Apache struts 2.3.14.2
• Apache struts 2.3.14.3
• Apache struts 2.3.15
• Apache struts 2.3.15.1
• Apache struts 2.3.15.2
• Apache struts 2.3.15.3
• Apache struts 2.3.16
• Apache struts 2.3.16.1
• Apache struts 2.3.16.2
• Apache struts 2.3.16.3
• Apache struts 2.3.17
• Apache struts 2.3.19
• Apache struts 2.3.20
• Apache struts 2.3.20.1
• Apache struts 2.3.20.2
• Apache struts 2.3.20.3
• Apache struts 2.3.21
• Apache struts 2.3.22
• Apache struts 2.3.23
• Apache struts 2.3.24
• Apache struts 2.3.24.1
• Apache struts 2.3.24.2
• Apache struts 2.3.24.3
• Apache struts 2.3.25
• Apache struts 2.3.26
• Apache struts 2.3.27
• Apache struts 2.3.28
• Apache struts 2.3.28.1
• Apache struts 2.3.29
• Apache struts 2.3.30
• Apache struts 2.3.31
• Apache struts 2.3.5
• Apache struts 2.3.6
• Apache struts 2.3.7
• Apache struts 2.3.8
• Apache struts 2.3.9
• Apache struts 2.5
• Apache struts 2.5.1
• Apache struts 2.5.10
• Apache struts 2.5.2
• Apache struts 2.5.3
• Apache struts 2.5.4
• Apache struts 2.5.5
• Apache struts 2.5.6
• Apache struts 2.5.7
• Apache struts 2.5.8
• Apache struts 2.5.9

References

• CVE: CVE-2017-5638
• URL: https://cwiki.apache.org/confluence/display/WW/S2-045