Apache Struts2 CVE-2017-5638 Vulnerability Follow-up (Mar 24, 2017)


In previous SonicAlert, we warned a critical remote code execution vulnerability (CVE-2017-5638) (S2-045) targeting Apache Struts2. A remote attacker could exploit this vulnerability by sending certain crafted HTTP request with mal-formed Content-Type value. A successful attack could execute arbitrary command on the web server.

SonicWall customers are protected by following signatures:

  • IPS: 12656 – Apache Struts 2 Jakarta Remote Code Execution (S2-045) 1
  • IPS: 12660 – Apache Struts 2 Jakarta Remote Code Execution (S2-045) 2

While SonicWall Threat Research Team keeps watching CVE-2017-5638, we observed that since March 23, number of firewalls reporting CVE-2017-5638 exploits has nearly doubled.

In the meantime, number of incidents has surged 50 times comparing to average incidents in the past 2 weeks.

It is possible that attackers are testing and exploiting CVE-2017-5638 with newly developed (and more powerful) tools. SonicWall urges all our customers to review their firewall logs and make sure they are running latest version of Apache Struts2.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.