...
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible RCE when performing file upload based on Jakarta Multipart parser |
Maximum security rating | HighCritical |
Recommendation | Upgrade to Struts 2.3.32 or Struts 2.5.10.1 |
Affected Software | Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10 |
Reporter | Chris Frohoff cfrohoff at qualcomm dot com |
CVE Identifier | CVE-2017-5638 |
...
It is possible to perform a RCE attack with a malicious Content-Disposition
value. If the Content-Dispostion
value isn't valid an exception is thrown which is then used to display an error message to a user. This is a different vector for the same vulnerability described in S2-045 (CVE-2017-5638).
Solution
If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1.
...
You can switch to a different implementation of the Multipart parser. We have already prepared two plugins which can be used as a drop-in solution, please find them here. You can use them when you are running the Apache Struts 2.3.8 - 2.5.5 (in case of using the default jakarta Jakarta multipart parser) or the Apache Struts 2.3.20 - 2.5.5 (when using an alternative jakarta-stream multipart parser).
Other Another option is to remove the File Upload Interceptor from the stack, just define your own custom stack and set it as a default - please read How do we configure an Interceptor to be used with every Action. This will work only for Struts 2.5.8 - 2.5.10.
...