The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability announce CVE-2017-5638

Apache Struts: code execution via Jakarta Multipart CT

Synthesis of the vulnerability

An attacker can use a malicious Content-Type header on Apache Struts with Jakarta Multipart installed, in order to run code.
Impacted products: Struts, Cisco CUCM, Cisco Unified CCX, Avamar, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Oracle Communications, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle OIT, Tuxedo, WebLogic, Percona Server, vCenter Server, VMware vSphere.
Severity of this bulletin: 4/4.
Consequences of an intrusion: user access/rights.
Hacker's origin: internet client.
Creation date: 08/03/2017.
Revision date: 14/03/2017.
Références of this threat: 498123, CERTFR-2017-ALE-004, CERTFR-2017-AVI-071, cisco-sa-20170310-struts2, cpuapr2017, cpujul2017, CVE-2017-5638, ESA-2017-042, S2-045, S2-046, VIGILANCE-VUL-22047, VMSA-2017-0004, VMSA-2017-0004.6, VU#834067.

Description of the vulnerability

The Apache Struts product can be configured to use the Multipart parser of Jakarta.

The HTTP Content-Type header can contain the multipart/form-data MIME type to indicate form data. In this case, the Multipart parser of Jakarta is called.

When the Multipart parser of Jakarta is used, and when the Content-Type header contains a malformed multipart/form-data header, an exception occurs, and the header content is interpreted during the display.

An attacker can therefore use a malicious Content-Type header on Apache Struts with Jakarta Multipart installed, in order to run code.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computer vulnerability patch. The technology watch team tracks security threats targeting the computer system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.