Security Research
Showing results for 
Search instead for 
Do you mean 

Apache Struts 2 Multipart parser vulnerability (CVE-2017-5638)

SasiSiddharth ‎03-14-2017 01:30 PM - edited ‎03-14-2017 02:03 PM

An OGNL Expression Injection vulnerability in the Jakarta Multipart parser has recently been garnering a lot of attention (https://struts.apache.org/docs/s2-045.html). The parser is used in Apache Struts 2, versions 2.3.x (2.3.5 - 2.3.32) and 2.5.x (below 2.5.10.1). The vulnerability allows a remote attacker to inject OGNL expressions using a malformed multipart request and is assigned CVE-2017-5638. The attack payload may be used to modify the Struts environment or to execute operating system commands. Below is a quick assessment of the vulnerability.

HTTP requests can indicate a multipart request body by using a value of ‘multipart/form-data’ in the content-type header. When doing so, Apache Struts 2 expects a valid multipart formatted request body. Lack of such a body will trigger an error using various OGNL expressions along the code path. The generation of the error allows for the content-type header to be injected into such an expression without sufficient validation. Hence, the vulnerability.

To exploit the vulnerability, an OGNL expression may be submitted along with a multipart content-type header. The expression may be constructed to update various configurations in the Struts 2 environment. For example, Fortify WebInspect sends an attack payload that adds a new HTTP header to the immediate response.

In this scenario, a vulnerable server will add the injected headers in the HTTP response following the attack request, indicating the execution of the payload. struts2-045-1.PNGSimilarly, the payload may also be constructed to execute operating system commands on a remote shell and the results of the command may be routed back through the HTTP response. From the above scenarios, it can be seen that the underlying vulnerability is an OGNL expression injection, but it can be leveraged to perform more dangerous OS command executions.

A Fortify WebInspect check to detect this vulnerability is now available through Smartupdate.

0 Kudos
About the Author

SasiSiddharth

Labels
Events
June 6 - 8, 2017
Las Vegas, Nevada
Discover 2017 Las Vegas
Join us for HPE Discover 2017 in Las Vegas. The event will be held at the Venetian | Palazzo from June 6-8, 2017.
Read more
Apr 18, 2017
Houston, TX
HPE Tech Days - 2017
Follow a group of tech bloggers for a new HPE Tech Day, a full day of sessions about how to create a hybrid IT, from hyperconverged to Composable Infr...
Read more
View all
//Add this to "OnDomLoad" event