CVE-2017-5638
Published: 11 March 2017
Summary
CVE-2017-5638 is a critical-severity Improper Handling of Exceptional Conditions (CWE-755) vulnerability in Hp Server Automation. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2017-5638 resides in the Jakarta Multipart parser component of Apache Struts 2 versions 2.3.x prior to 2.3.32 and 2.5.x prior to 2.5.10.1. It arises from improper exception handling and error-message generation when processing file-upload requests, tracked as CWE-755, and carries a CVSS 3.1 base score of 9.8.
Unauthenticated remote attackers can exploit the flaw over the network by supplying a crafted Content-Type, Content-Disposition, or Content-Length HTTP header during a file-upload attempt, resulting in arbitrary command execution on the server with no user interaction required.
The issue was exploited in the wild in March 2017, including attacks that embedded a #cmd= string inside the Content-Type header. Multiple vendor advisories and security analyses reference the same attack pattern and affected Struts versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-0625
Vulnerability details
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length…
more
HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of security patches to eliminate the known Struts Jakarta Multipart parser flaw before exploitation.
Mandates validation of untrusted HTTP header inputs (Content-Type, Content-Disposition, Content-Length) that are used as the injection vector for command execution.
Requires proper exception handling so that malformed upload headers do not trigger the error-message generation path that yields arbitrary command execution.