Struts 2 Remote Code Execution Vulnerability (S2-045)

08/03/2017 11:32:31

Early in the morning of 7th March, Apache announced a S2-045 vulnerability of Apache Struts2 with vulnerability number CVE-2017-5638. Struts2 Jakarta Multipart parser plug-in has a remote code execution vulnerability. An attacker could modify the Content-Type value in the HTTP request header to trigger the vulnerability when using the plug-in to upload the file, resulting in data leakage, defacement, etc., like remote execution of the code, getting administrator privileges, adding users, viewing, modifying and deleting files.

S2-045 affected version: Struts 2.3.5 - Struts 2.3.31Struts 2.5 - Struts 2.5.10

After discovering the vulnerability, Sangfor security team in the first time developed and provided the detection and solutions to help users avoid harm, maintenance of user network security.


Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON. Struts 2 is one of the most popular Java Web application frameworks.

Vulnerability analysis

The attacker can malicious code through the http message header Content-Type field to the vulnerability of the server, resulting in arbitrary code execution vulnerability.

Vulnerability POC

Up to now, there are a lot of vulnerability POC in the public internet, randomly select one to test in the environment, it succeeded to execute “ifconfig” command.

Official solution

The official version has been released, the user is recommended to upgrade to the latest version (Struts2 2.3.32 or Struts, the download link is as follows:

Struts 2.3.32:


Sangfor NGAF users, please update the IPS signature database to 20170307 and newer version, then the NGAF can easily defend the attacks using this vulnerability.

Our Social Networks

Global Service Center: