Apache Struts 2 is an open-source framework widely used for developing Java web applications.
On March 6, 2017, a critical security vulnerability identified as CVE-2017-5638 was publicly disclosed. This flaw allowed attackers to execute remote code on vulnerable servers by sending specially crafted malicious requests.
The vulnerability occurs when a server processes file uploads using a Jakarta-based multipart parser. Attackers can exploit this weakness by embedding malicious commands within the Content-Type header of a file upload request. When processed by affected versions of Apache Struts 2, the server may execute these commands, leading to unauthorized access or complete system compromise.
The issue specifically affects Apache Struts 2.3.x versions prior to 2.3.32 and 2.5.x versions prior to 2.5.10.1, where improper handling of multipart file uploads enables remote attackers to run arbitrary commands using crafted input strings.
Solution
Security researchers from both Cisco and Apache strongly recommend upgrading Apache Struts installations to version 2.3.32 or 2.5.10.1 (or later) to eliminate the vulnerability and protect systems from exploitation.
If you require help, contact SupportPRO Server Admin
Partner with SupportPRO for 24/7 proactive cloud support that keeps your business secure, scalable, and ahead of the curve.
