CVE-2017-9791
Published: 10 July 2017
Summary
CVE-2017-9791 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Apache Struts. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2017-9791 resides in the Struts 1 plugin component of Apache Struts 2.1.x and 2.3.x. It is an instance of improper input validation (CWE-20) that can be triggered when a raw message containing a malicious field value is processed by ActionMessage, potentially leading to remote code execution. The flaw is rated 9.8 under CVSS 3.1, indicating it is exploitable over the network with low attack complexity and no prerequisites for authentication or user interaction.
An unauthenticated remote attacker can supply crafted input to any Struts-based application that enables the Struts 1 plugin, achieving arbitrary code execution on the server and full compromise of confidentiality, integrity, and availability.
The primary advisory at http://struts.apache.org/docs/s2-048.html, along with related notices from Oracle, SecurityTracker, and NetApp, directs administrators to apply available patches or configuration changes that disable or remove the affected plugin. Additional references such as the SecurityFocus entry provide further details on affected builds and recommended upgrade paths.
No information on observed in-the-wild exploitation is included in the supplied references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-1954
Vulnerability details
The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
- CWE(s)
- KEV Date Added
- 10 February 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of untrusted field values supplied to ActionMessage, blocking the malicious input that triggers RCE.
Requires timely application of the Struts patches or removal of the vulnerable Struts 1 plugin as specified in the advisory.
Limits installed components by disabling or removing the Struts 1 plugin, eliminating the attack surface for this flaw.