SA145 : Apache Struts 2 RCE Vulnerability

Click to Subscribe
Security Advisory ID: 
SA145
Published Date: 
Mar 15, 2017
Advisory Status: 
Final
Advisory Severity: 
High
CVSS v2 base score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE Number: 
CVE-2017-5638 - 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Symantec Network Protection products using affected versions of Apache Struts 2 are susceptible to a remote code execution vulnerability.  A remote attacker can exploit this vulnerability to execute arbitrary code with the privileges of the web application server.

Affected Products:

No Symantec Network Protection products are vulnerable to CVE-2017-5638.

The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
Symantec HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis
Director
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Malware Analysis
Management Center
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics
SSL Visibility
Unified Agent
X-Series XOS

Symantec no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

This Security Advisory addresses a remote code execution vulnerability in Apache Struts 2 (CVE-2017-5638).  No Symantec Network Protection productsare vulnerable to CVE-2017-5638.

The Jakarta Multipart parser in Apache Struts 2 does not handle correctly file upload HTTP requests with a malicious Content-Type header.  A remote attacker can send a file upload request with a crafted Content-Type header and execute arbitrary code on the target system with the privileges of the web application server.

Workarounds: 

Symantec's ProxySG appliance can protect network servers by blocking the HTTP requests with malicious Content-Type headers needed to exploit this vulnerability.  ProxySG 6.6 deployed as a web application firewall (WAF) blocks the malicious HTTP requests by default.  The WAF Command Injection and Code Injection engines must be configured to scan HTTP request headers.

Customers deploying ProxySG 6.5 as a reverse or forward proxy can block HTTP requests with malicious Content-Type headers using the following CPL syntax:

<Proxy>
request.header.Content-Type.substring="%{(#" force_exception(invalid_request)

Customers deploying ProxySG 6.6 and 6.7 as a reverse or forward proxy can block HTTP requests with malicious headers using the following CPL syntax:

<Proxy>
http.request.normalization.default("urlDecode:(path),urlDecode:(header),urlDecode:urlDecode:htmlEntityDecode:(arg_name,arg)")

<Proxy>
http.request[header].substring="%{(#" force_exception(invalid_request)
Patches: 

No Symantec Network Protection products are vulnerable.

Advisory History: 

2017-03-16 SA status changed to Final.
2017-03-15 initial public release