NVD Vulnerability Detail

CVE-2017-5638

Summary	The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Publication Date	March 11, 2017, 11:59 a.m.
Registration Date	Jan. 26, 2021, 1:26 p.m.
Last Update	Nov. 21, 2024, 12:28 p.m.

CVSS3.1 : CRITICAL
スコア	9.8
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高

CVSS2.0 : HIGH
Score	10.0
Vector	AV:N/AC:L/Au:N/C:C/I:C/A:C
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:struts::::::::	2.5.0			2.5.10.1
cpe:2.3:a:apache:struts::::::::	2.2.3			2.3.32

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:ibm:storwize_v3500_firmware:7.7.1.6:::::::*
cpe:2.3:o:ibm:storwize_v3500_firmware:7.8.1.0:::::::*
execution environment
1	cpe:2.3:h:ibm:storwize_v3500:-:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:o:ibm:storwize_v5000_firmware:7.7.1.6:::::::*
cpe:2.3:o:ibm:storwize_v5000_firmware:7.8.1.0:::::::*
execution environment
1	cpe:2.3:h:ibm:storwize_v5000:-:::::::*

Configuration4		or higher	or less	more than	less than
cpe:2.3:o:ibm:storwize_v7000_firmware:7.7.1.6:::::::*
cpe:2.3:o:ibm:storwize_v7000_firmware:7.8.1.0:::::::*
execution environment
1	cpe:2.3:h:ibm:storwize_v7000:-:::::::*

Configuration5		or higher	or less	more than	less than
cpe:2.3:o:lenovo:storage_v5030_firmware:7.7.1.6:::::::*
cpe:2.3:o:lenovo:storage_v5030_firmware:7.8.1.0:::::::*
execution environment
1	cpe:2.3:h:lenovo:storage_v5030:-:::::::*

Configuration6	or higher	or less	more than	less than
cpe:2.3:a:hp:server_automation:10.0.0:::::::*
cpe:2.3:a:hp:server_automation:10.1.0:::::::*
cpe:2.3:a:hp:server_automation:10.2.0:::::::*
cpe:2.3:a:hp:server_automation:10.5.0:::::::*
cpe:2.3:a:hp:server_automation:9.1.0:::::::*

Configuration7	or higher	or less	more than	less than
cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:::::::*
cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:::::::*
cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:::::::*
cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:::::::*

Configuration8		or higher	or less	more than	less than
cpe:2.3:a:arubanetworks:clearpass_policy_manager::::::::					6.6.5

Configuration9		or higher	or less	more than	less than
cpe:2.3:a:netapp:oncommand_balance:-:::::::*

Related information, measures and tools

No	URL	タグ
1	http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html	Exploit Third Party Advisory
2	http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html	Exploit Third Party Advisory
3	http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/	Exploit Third Party Advisory
4	http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/	Exploit Third Party Advisory
5	http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt	Third Party Advisory
6	http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt	Third Party Advisory
7	http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html	Press/Media Coverage Third Party Advisory
8	http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html	Press/Media Coverage Third Party Advisory
9	http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html	Patch Third Party Advisory
10	http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html	Patch Third Party Advisory
11	http://www.securityfocus.com/bid/96729	Broken Link Third Party Advisory VDB Entry
12	http://www.securityfocus.com/bid/96729	Broken Link Third Party Advisory VDB Entry
13	http://www.securitytracker.com/id/1037973	Broken Link Third Party Advisory VDB Entry
14	http://www.securitytracker.com/id/1037973	Broken Link Third Party Advisory VDB Entry
15	https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/	Exploit Press/Media Coverage
16	https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/	Exploit Press/Media Coverage
17	https://cwiki.apache.org/confluence/display/WW/S2-045	Mitigation Vendor Advisory
18	https://cwiki.apache.org/confluence/display/WW/S2-045	Mitigation Vendor Advisory
19	https://cwiki.apache.org/confluence/display/WW/S2-046	Mitigation Vendor Advisory
20	https://cwiki.apache.org/confluence/display/WW/S2-046	Mitigation Vendor Advisory
21	https://exploit-db.com/exploits/41570	Exploit Third Party Advisory VDB Entry
22	https://exploit-db.com/exploits/41570	Exploit Third Party Advisory VDB Entry
23	https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a	Broken Link
24	https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a	Broken Link
25	https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228	Broken Link
26	https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228	Broken Link
27	https://github.com/mazen160/struts-pwn	Exploit
28	https://github.com/mazen160/struts-pwn	Exploit
29	https://github.com/rapid7/metasploit-framework/issues/8064	Exploit Issue Tracking
30	https://github.com/rapid7/metasploit-framework/issues/8064	Exploit Issue Tracking
31	https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us	Broken Link
32	https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us	Broken Link
33	https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us	Third Party Advisory
34	https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us	Third Party Advisory
35	https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us	Third Party Advisory
36	https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us	Third Party Advisory
37	https://isc.sans.edu/diary/22169	Exploit Third Party Advisory
38	https://isc.sans.edu/diary/22169	Exploit Third Party Advisory
39	https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E	Mailing List
40	https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E	Mailing List
41	https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E	Mailing List
42	https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E	Mailing List
43	https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E	Mailing List
44	https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E	Mailing List
45	https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html	Exploit Third Party Advisory
46	https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html	Exploit Third Party Advisory
47	https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt	Exploit Third Party Advisory VDB Entry
48	https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt	Exploit Third Party Advisory VDB Entry
49	https://security.netapp.com/advisory/ntap-20170310-0001/	Third Party Advisory
50	https://security.netapp.com/advisory/ntap-20170310-0001/	Third Party Advisory
51	https://struts.apache.org/docs/s2-045.html	Mitigation Vendor Advisory
52	https://struts.apache.org/docs/s2-045.html	Mitigation Vendor Advisory
53	https://struts.apache.org/docs/s2-046.html	Mitigation Vendor Advisory
54	https://struts.apache.org/docs/s2-046.html	Mitigation Vendor Advisory
55	https://support.lenovo.com/us/en/product_security/len-14200	Third Party Advisory
56	https://support.lenovo.com/us/en/product_security/len-14200	Third Party Advisory
57	https://twitter.com/theog150/status/841146956135124993	Broken Link Third Party Advisory
58	https://twitter.com/theog150/status/841146956135124993	Broken Link Third Party Advisory
59	https://www.exploit-db.com/exploits/41614/	Exploit Third Party Advisory VDB Entry
60	https://www.exploit-db.com/exploits/41614/	Exploit Third Party Advisory VDB Entry
61	https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/	Third Party Advisory
62	https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/	Third Party Advisory
63	https://www.kb.cert.org/vuls/id/834067	Third Party Advisory US Government Resource
64	https://www.kb.cert.org/vuls/id/834067	Third Party Advisory US Government Resource
65	https://www.symantec.com/security-center/network-protection-security-advisories/SA145	Broken Link
66	https://www.symantec.com/security-center/network-protection-security-advisories/SA145	Broken Link

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-755	例外的な状態における不適切な処理	https://cwe.mitre.org/data/definitions/755.html

JVN Vulnerability Information

Apache Struts2 に任意のコードが実行可能な脆弱性

Title	Apache Struts2 に任意のコードが実行可能な脆弱性
Summary	Apache Struts2 には、任意のコードが実行可能な脆弱性が存在します。 Apache Struts2 には、Jakarta Multipart parser の処理に起因する、任意のコードが実行可能な脆弱性が存在します。なお、本脆弱性の攻撃コードが公開されています。
Possible impacts	遠隔の第三者によって細工されたリクエストを処理することで、アプリケーションの権限で任意のコードを実行される可能性があります。
Solution	[アップデートする] 本脆弱性が修正されたバージョン (Struts 2.3.32 および Struts 2.5.10.1) へアップデートする。 [ワークアラウンドを実施する] 次のワークアラウンドを実施し、本脆弱性の影響を軽減する。　* サーブレットフィルタや Web Application Firewall などを使用して、Content-Type ヘッダを検証し、"multipart/form-data" が文字列として含まれる不正なリクエストを遮断する　* File Upload Interceptor を無効化する (Struts 2.5.8 から Struts 2.5.10 に対してのみ有効) 　　File Upload Interceptor 　　https://struts.apache.org/docs/file-upload-interceptor.html JPCERT/CCからの補足情報【2017年3月17日追記】開発者は、multipart/form-data を扱うパーサを、デフォルトの JakartaMultipartRequest から別の実装に変更する方法を、対策として記載しています。 JPCERT/CC による検証では、本脆弱性の影響を受けるバージョンにおいて JakartaStreamMultiPartRequest に変更しても本脆弱性の影響を受けることを確認したため、対策方法から削除しています。別の実装 https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries
Publication Date	March 9, 2017, midnight
Registration Date	March 10, 2017, 10:47 a.m.
Last Update	Oct. 3, 2017, 1:51 p.m.

Affected System

Apache Software Foundation

Apache Struts 2.3.5 から 2.3.31 まで

Apache Struts 2.5 から 2.5.10 まで

日本電気

ESMPRO/ServerManager 6.10 から 6.16

InfoFrame Relational Store 全バージョン

iStorage HSシリーズ 5.0.5

StarOffice X Enterprise V4.0

StarOffice X Enterprise V5.0

StarOffice X Enterprise V5.1

StarOffice X Standard V4.0

StarOffice X Standard V5.0

StarOffice X Standard V5.1

WebOTX Developer (with Developer's Studio) V9.3

WebOTX Developer (with Developer's Studio) V9.4

日立

HiRDB Server Version 9

HiRDB Control Manager - Server Version 9

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-5638	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
National Vulnerability Database (NVD)
2	CVE-2017-5638	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5638

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Apache
1	Alternate Libraries	https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries
2	WW-3025	https://issues.apache.org/jira/browse/WW-3025
Apache Struts 2 Documentation
3	S2-045: Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.	https://struts.apache.org/docs/s2-045.html
ASF Git Repos
4	Uses default error key if specified key doesn't exist (3523064)	https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519a
5	Uses default error key if specified key doesn't exist (6b8272c)	https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228
Cisco's Talos Intelligence Group Blog
6	Content-Type: Malicious - New Apache Struts2 0-day Under Attack	http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
Hitachi Software Vulnerability Information
7	hitachi-sec-2017-110	http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-110/index.html
NEC製品セキュリティ情報
8	NV17-013	http://jpn.nec.com/security-info/secinfo/nv17-013.html
ソフトウェア製品セキュリティ情報
9	hitachi-sec-2017-110	http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2017-110/index.html
富士通セキュリティ情報
10	Veritas NetBackup: 任意のコマンドが実行される脆弱性(CVE-2017-5638) (2017年9月1日)	http://www.fujitsu.com/jp/products/software/resources/condition/security/products-fujitsu/solution/veritas201712.html

その他

No	Name	URL
IPA 重要なセキュリティ情報
1	Apache Struts2 の脆弱性対策について(CVE-2017-5638)(S2-045)	https://www.ipa.go.jp/security/ciadr/vul/20170308-struts.html
JPCERT 注意喚起
2	JPCERT-AT-2017-0009	https://www.jpcert.or.jp/at/2017/at170009.html
JVN
3	JVNVU#93610402	http://jvn.jp/vu/JVNVU93610402/index.html
US-CERT Vulnerability Note
4	VU#834067	https://www.kb.cert.org/vuls/id/834067

Change Log

No	Changed Details	Date of change
0	[2017年03月10日] 掲載 [2017年03月15日] CVSS による深刻度：内容を更新ベンダ情報：Apache Software Foundation (Uses default error key if specified key doesn't exist (3523064)) を追加ベンダ情報：Apache Software Foundation (Uses default error key if specified key doesn't exist (6b8272c)) を追加ベンダ情報：シスコシステムズ (Content-Type: Malicious - New Apache Struts2 0-day Under Attack) を追加 CWE による脆弱性タイプ一覧：CWE-ID を追加参考情報：National Vulnerability Database (NVD) (CVE-2017-5638) を追加参考情報：US-CERT Vulnerability Note (NVD) (VU#834067) を追加 [2017年03月21日] 対策：内容を更新 [2017年04月17日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：日立 (hitachi-sec-2017-110) を追加 [2017年07月25日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：日本電気 (NV17-013) を追加 [2017年09月04日] ベンダ情報：富士通 (Veritas NetBackup: 任意のコマンドが実行される脆弱性(CVE-2017-5638) (2017年9月1日)) を追加 [2017年10月03日] 影響を受けるシステム：ベンダ情報 (NV17-013) の更新に伴い内容を更新	Feb. 17, 2018, 10:37 a.m.