Community in read only mode June 18 & 19
This community will be set in READ ONLY mode for a while on Tuesday June 18 into Wednesday June 19 while we import content and users from our Micro Focus Forums community site. MORE INFORMATION

Apache Struts 2 Multipart parser vulnerability (CVE-2017-5638)

SasiSiddharth Absent Member.
Absent Member.
0 0 12.3K

An OGNL Expression Injection vulnerability in the Jakarta Multipart parser has recently been garnering a lot of attention (https://struts.apache.org/docs/s2-045.html). The parser is used in Apache Struts 2, versions 2.3.x (2.3.5 - 2.3.32) and 2.5.x (below 2.5.10.1). The vulnerability allows a remote attacker to inject OGNL expressions using a malformed multipart request and is assigned CVE-2017-5638. The attack payload may be used to modify the Struts environment or to execute operating system commands. Below is a quick assessment of the vulnerability.

HTTP requests can indicate a multipart request body by using a value of ‘multipart/form-data’ in the content-type header. When doing so, Apache Struts 2 expects a valid multipart formatted request body. Lack of such a body will trigger an error using various OGNL expressions along the code path. The generation of the error allows for the content-type header to be injected into such an expression without sufficient validation. Hence, the vulnerability.

To exploit the vulnerability, an OGNL expression may be submitted along with a multipart content-type header. The expression may be constructed to update various configurations in the Struts 2 environment. For example, Fortify WebInspect sends an attack payload that adds a new HTTP header to the immediate response.

In this scenario, a vulnerable server will add the injected headers in the HTTP response following the attack request, indicating the execution of the payload. struts2-045-1.PNGSimilarly, the payload may also be constructed to execute operating system commands on a remote shell and the results of the command may be routed back through the HTTP response. From the above scenarios, it can be seen that the underlying vulnerability is an OGNL expression injection, but it can be leveraged to perform more dangerous OS command executions.

A Fortify WebInspect check to detect this vulnerability is now available through Smartupdate.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.