Apache Struts Remote Code Execution Vulnerability via Jakarta Multipart Parser

A remote code execution vulnerability has been identified in Apache Struts 2 versions 2.3.x prior to 2.3.32 and 2.5.x prior to 2.5.10.1. The issue arises in the Jakarta Multipart parser, which improperly handles exceptions and error messages during file upload attempts. This flaw allows remote attackers to execute arbitrary commands by crafting the Content-Type, Content-Disposition, or Content-Length HTTP headers. The vulnerability was actively exploited in March 2017, using a Content-Type header that included a '#cmd=' string.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed commands running under the same privileges as the user executing the Apache Struts application.

Reproduction

To reproduce this vulnerability, send a multipart file upload request to a server running a vulnerable version of Apache Struts with the Jakarta Multipart parser enabled. Include a crafted Content-Type header that contains OGNL expressions, such as commands to be executed on the server. The server's response should indicate that the commands were executed successfully.

Remediation

Upgrade to Apache Struts versions 2.3.32 or 2.5.10.1. If an immediate upgrade is not possible, consider switching to a different implementation of the Multipart parser or removing the File Upload Interceptor from the stack.