Home > Developer > Web Develop

Vulnerability Alert | Apache Struts2 exposes arbitrary Code execution Vulnerability (s2-045)

Source: Internet
Author: User
Tags cve
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Recently, Apache official release of Apache Struts 2.3.5–2.3.31 version and 2.5–2.5.10 version of the Remote Code execution Vulnerability (cnnvd-201703-152, cve-2017-5638) of the Emergency Vulnerability Bulletin. The vulnerability is because the exception handler for the upload function does not correctly handle user input error messages, causing a remote attacker to use the vulnerability to execute arbitrary commands on the affected server by sending a malicious packet.

Vulnerability Hazard

An attacker could construct malicious code in the Content-type field in the header of an HTTP request to exploit the vulnerability, execute system commands on the affected server, and further take full control of the server, resulting in denial of service, data disclosure, Web site tampering, and so on. The vulnerability is more severe because the vulnerability is enabled by default with the required components.

  

Vulnerability number

cve-2017-5638

cnnvd-201703-152

Impact Range

Affected version of Struts2:

Struts 2.3.5–struts 2.3.31

Struts 2.5–struts 2.5.1

Detection method

Detection can be done by viewing the Struts2-core-x.x.x.jar file under the/web-inf/lib/directory under the WEB directory, if x represents the version number 2.3.5 to 2.3.31 and 2.5 to 2.5.10 without modifying the default configuration there is a vulnerability.

Repair measures

In order to protect the security of the user's assets, the exploit tool has been disclosed on the internet, so please fix the vulnerability in time.

1. Users can upgrade the version to Apache Struts 2.3.32 or Apache struts 2.5.10.1 to eliminate the vulnerability impact. It is recommended that you do a backup of your data before upgrading.

Patch Address:

Struts 2.3.32:https://github.com/apache/struts/releases/tag/struts_2_3_32

Struts 2.5.10.1:https://github.com/apache/struts/releases/tag/struts_2_5_10_1

2, if the user is not convenient to upgrade, you can take the following temporary solution: Delete the Commons-fileupload-x.x.x.jar file (will cause the upload function is not available).

3, if the confirmation of the problem exists, and cannot carry out the above measures, the user can timely contact with anxin and sincerity, anxin and Prudential will quickly provide users with security reinforcement, security policy adjustment and other related security services for emergency response, in order to quickly respond to the vulnerability.

Vulnerability Alert | Apache Struts2 exposes arbitrary Code execution Vulnerability (s2-045)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
apache vulnerability test apache struts vulnerability test apache struts 2 vulnerability source code vulnerability scanner what is apache struts vulnerability test for apache struts vulnerability memcpy vulnerability

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More