CVE-2017-5638 Apache Struts Remote Code Execution
Severity
Advisory/Critical
Vendor
Apache
Versions Affected
- Apache Struts 2:
- 2.3.x versions prior to 2.3.32
- 2.5.x versions prior to 2.5.10.1
Description
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 [1] mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd=
string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017 [2].
Affected VMware Products and Versions
- Pivotal Cloud Foundry
- The Cloud Foundry team has determined that core releases do not package Apache Struts.
- Pivotal has determined that PCF components also do not package Apache Struts.
- However, particular applications deployed on Cloud Foundry may depend on Apache Struts 2. This vulnerability should be mitigated on the application level as soon as possible by following the steps outlined in the Struts documentation [3].
- If you have further questions, please contact Pivotal Support at https://support.pivotal.io.
- Pivotal Spring
- Spring versions 4.x, 5.x and above are able to use the Spring plugin that is distributed with Apache Struts 2.
- Particular applications using Spring versions 4.x, 5.x and later may depend on Apache Struts 2. This vulnerability should be mitigated on the application level as soon as possible by following the steps outlined in the Struts documentation [3].
- However, if your Spring Boot applications do not use Apache Struts (e.g. they don't have
org.apache.struts
listed in their dependencies) then no action is required. - If you have further questions, please contact Pivotal Support at https://support.pivotal.io.
Mitigation
- Pivotal Cloud Foundry
- Pivotal has determined that PCF is not exposed to this particular vulnerability and therefore does not require any PCF-specific upgrades.
- However, particular applications deployed on Cloud Foundry may depend on Apache Struts 2. This vulnerability should be mitigated on the application level as soon as possible by following the steps outlined in the Struts documentation [3].
- Pivotal Spring
- Particular applications using Spring versions 4.x, 5.x and later may depend on Apache Struts 2. This vulnerability should be mitigated on the application level as soon as possible by following the steps outlined in the Struts documentation [3].
- If you have further questions, please contact Pivotal Support at https://support.pivotal.io.
Credit
Nike Zheng