A vulnerability is found at the jakarta based file upload Multipart parser of Apache Struts2 that could allow remote code execution at the affected application server. A remote attacker could exploit the vulnerability by sending special crafted URL requests with an invalid Content-Type value to the affected system. The proof-of-concept exploit code is available on the Internet.
A successful attack could lead to information disclosure, website defacement, backdoor implanting and arbitrary code execution on an affected system.
Administrators of the affected systems should upgrade the Apache Struts2 to 2.3.32 or 2.5.10.1 to address the issue. The update is available at:
The systems administrators should follow the recommendations provided by the Apache Community and take immediate actions to mitigate the risk.
Workaround is advised from the following websites before the patch could be applied:
http://www.cnvd.org.cn/flaw/show/CNVD-2017-02474
http://news.xinhuanet.com/itown/2017-03/07/c_136109084.htm?winzoom=1&from=timeline&isappinstalled=1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638