{"id":7166,"date":"2017-03-29T23:21:08","date_gmt":"2017-03-30T07:21:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/29\/news-957\/"},"modified":"2017-03-29T23:21:08","modified_gmt":"2017-03-30T07:21:08","slug":"news-957","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/29\/news-957\/","title":{"rendered":"CVE-2017-5638 &#8211; Apache Struts 2 Remote Code Execution Vulnerability"},"content":{"rendered":"<p><strong>Credit to Author: Pradeep Kulkarni| Date: Tue, 14 Mar 2017 11:01:23 +0000<\/strong><\/p>\n<p>The well-known open source web application framework Apache Struts 2 is being actively exploited in the wild allowing hackers to launch a remote code execution attack.\u00a0 To address this issue, Apache has issued a security <a href=\"https:\/\/cwiki.apache.org\/confluence\/display\/WW\/S2-045\">advisory<\/a> and <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-5638\">CVE-2017-5638<\/a> has been assigned to it. The zero-day bug has been rated with the highest severity rating \u2018High\u2019. The proof of concept can be found <a href=\"https:\/\/github.com\/tengzhangchao\/Struts2_045-Poc\">here<\/a>. The open source Struts framework is being used widely by organizations across the globe making it favorable for hackers to exploit this vulnerability.<\/p>\n<p><strong>Vulnerable Versions:<\/strong><\/p>\n<ul>\n<li>Struts 2.3.5<\/li>\n<li>Struts 2.3.31<\/li>\n<li>Struts 2.5<\/li>\n<li>Struts 2.5.10<\/li>\n<\/ul>\n<p><strong>Vulnerability <\/strong><\/p>\n<p>The vulnerability is triggered by sending a crafted \u2018Content-Type\u2019 HTTP header. The Jakarta multipart parser fails to validate the file upload which allows attackers to carry out the remote code execution. The \u2018Content-type\u2019 HTTP header is injected with arbitrary commands in the field #cmd. The injected command gets executed on the vulnerable servers.<\/p>\n<div id=\"attachment_83993\" style=\"width: 660px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-83993 size-large\" src=\"http:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/03\/struts-650x146.png\" alt=\"Fig 1. Vulnerability\" width=\"650\" height=\"146\" srcset=\"http:\/\/blogs.quickheal.com\/wp-content\/uploads\/2017\/03\/struts-650x146.png 650w, http:\/\/blogs.quickheal.com\/wp-content\/uploads\/2017\/03\/struts-300x68.png 300w, http:\/\/blogs.quickheal.com\/wp-content\/uploads\/2017\/03\/struts-768x173.png 768w, http:\/\/blogs.quickheal.com\/wp-content\/uploads\/2017\/03\/struts-789x178.png 789w, http:\/\/blogs.quickheal.com\/wp-content\/uploads\/2017\/03\/struts.png 888w\" sizes=\"auto, (max-width: 650px) 100vw, 650px\" \/><\/p>\n<p class=\"wp-caption-text\">Fig 1. Vulnerability<\/p>\n<\/div>\n<p><strong>Quick Heal Detections<\/strong><\/p>\n<p>Quick Heal has released the following IPS detection for the vulnerability <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-5638\">CVE-2017-5638<\/a>.<\/p>\n<ul>\n<li>VID-01568: Apache Struts Remote Code Execution vulnerability<\/li>\n<\/ul>\n<p>Some of the reported payloads dropped by exploiting this vulnerability have been detected by Quick Heal as:<\/p>\n<ul>\n<li>Backdoor.Linux.Setag.E<\/li>\n<li>TrojanXor.Linux.DDos.A<\/li>\n<\/ul>\n<p><strong>Conclusion<\/strong><\/p>\n<p>The high-profile zero-day vulnerability is currently patched by Apache Struts. We strongly recommend users to upgrade their Apache Struts installation to <a href=\"https:\/\/cwiki.apache.org\/confluence\/display\/WW\/Version+Notes+2.3.32\">Struts 2.3.32<\/a>\u00a0or\u00a0<a href=\"https:\/\/cwiki.apache.org\/confluence\/display\/WW\/Version+Notes+2.5.10.1\">Struts 2.5.10.1<\/a> as per the advisory and also apply the latest security updates by Quick Heal.<\/p>\n<p><strong>ACKNOWLEDGEMENT<\/strong><\/p>\n<p><strong>\u2022 Vishal Singh<br \/> \u2022 Pradeep Kulkarni<br \/> <\/strong>\u2013 Threat Research and Response Team<\/p>\n<p>The post <a rel=\"nofollow\" href=\"http:\/\/blogs.quickheal.com\/cve-2017-5638-apache-struts-2-remote-code-execution-vulnerability\/\">CVE-2017-5638 &#8211; Apache Struts 2 Remote Code Execution Vulnerability<\/a> appeared first on <a rel=\"nofollow\" href=\"http:\/\/blogs.quickheal.com\">Quick Heal Technologies Security Blog | Latest computer security news, tips, and advice<\/a>.<\/p>\n<p><a href=\"http:\/\/blogs.quickheal.com\/cve-2017-5638-apache-struts-2-remote-code-execution-vulnerability\/\" target=\"bwo\" >http:\/\/blogs.quickheal.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Pradeep Kulkarni| Date: Tue, 14 Mar 2017 11:01:23 +0000<\/strong><\/p>\n<p>The well-known open source web application framework Apache Struts 2 is being actively exploited in the wild allowing hackers to launch a remote code execution attack.\u00a0 To address this issue, Apache has issued a security advisory and CVE-2017-5638 has been assigned to it. The zero-day bug has been rated with&#8230;<\/p>\n<p>The post <a rel=\"nofollow\" href=\"http:\/\/blogs.quickheal.com\/cve-2017-5638-apache-struts-2-remote-code-execution-vulnerability\/\">CVE-2017-5638 &#8211; Apache Struts 2 Remote Code Execution Vulnerability<\/a> appeared first on <a rel=\"nofollow\" href=\"http:\/\/blogs.quickheal.com\">Quick Heal Technologies Security Blog | Latest computer security news, tips, and advice<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10459,10378],"tags":[11809,11810,11253,3919,3764,10467,11524],"class_list":["post-7166","post","type-post","status-publish","format-standard","hentry","category-quickheal","category-security","tag-apache","tag-cve","tag-hacker","tag-hacking","tag-malware","tag-vulnerability","tag-zero-day"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7166","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7166"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7166\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7166"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7166"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}