SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Apache Struts Vendors:   Apache Software Foundation
Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
SecurityTracker Alert ID:  1037973
SecurityTracker URL:  http://securitytracker.com/id/1037973
CVE Reference:   CVE-2017-5638   (Links to External Site)
Date:  Mar 9 2017
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.3.5 - 2.3.31, 2.5 - 2.5.10
Description:   A vulnerability was reported in Apache Struts. A remote user can execute arbitrary commands on the target system.

A remote user can supply specially crafted Content-Type data to exploit a flaw in the Jakarta multipart parser and execute arbitrary operating system commands on the target system.

Nike Zheng reported this vulnerability.

Impact:   A remote user can execute arbitrary operating system commands on the target system.
Solution:   The vendor has issued a fix (2.3.32, 2.5.10.1).

The vendor advisory is available at:

https://struts.apache.org/docs/s2-045.html

Vendor URL:  struts.apache.org/docs/s2-045.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 14 2017 (VMware Issues Fix for VMware vCenter) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
VMware has issued a fix for VMware vCenter.
Mar 14 2017 (VMware Issues Fix for VMware vRealize Operations Center) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
VMware has issued a fix for VMware vRealize Operations Manager.
Mar 14 2017 (Cisco Issues Fix for Cisco Unity Connection) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
Cisco has issued a fix for Cisco Unity Connection.
Mar 14 2017 (Cisco Issues Fix for Cisco Unified Intelligent Contact Management Enterprise) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
Cisco has issued a fix for Cisco Unified Intelligent Contact Management Enterprise.
Mar 14 2017 (Cisco Issues Fix for Cisco Unified Contact Center) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
Cisco has issued a fix for Cisco Unified Contact Center.
Mar 14 2017 (Cisco Issues Fix for Cisco Unified Communications Manager) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
Cisco has issued a fix for Cisco Unified Communications Manager.
Mar 14 2017 (Cisco Issues Fix for Cisco Unified Communications Manager Session Management Edition) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
Cisco has issued a fix for Cisco Unified Communications Manager Session Management Edition.
Mar 14 2017 (Cisco Issues Fix for Cisco Unified Communications Manager IM & Presence Service) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
Cisco has issued a fix for Cisco Unified Communications Manager IM & Presence Service.
Mar 14 2017 (Cisco Issues Advisory for Cisco Emergency Responder) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
Cisco has issued an advisory for Cisco Emergency Responder.
Mar 14 2017 (Cisco Issues Fix for Cisco Identity Services Engine) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
Cisco has issued a fix for Cisco Identity Services Engine.
Mar 14 2017 (Cisco Issues Fix for Cisco Prime Service Catalog) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
Cisco has issued a fix for Cisco Prime Service Catalog Appliance and Virtual Appliance.
Mar 14 2017 (Cisco Issues Advisory for Cisco Unified Intelligence Center) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
Cisco has issued an advisory for Cisco Unified Intelligence Center.
Mar 21 2017 (Cisco Issues Advisory for Cisco Prime Network Registrar IP Address Manager) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
Cisco has issued an advisory for Cisco Prime Network Registrar IP Address Manager (IPAM).
Mar 21 2017 (Cisco Issues Fix for Cisco Hosted Collaboration Solution for Contact Center) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
Cisco has issued a fix for Cisco Hosted Collaboration Solution for Contact Center.
Mar 21 2017 (Cisco Issues Fix for Cisco MediaSense) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
Cisco has issued a fix for Cisco MediaSense.
Mar 23 2017 (VMware Issues Fix for VMware Horizon DaaS) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
VMware has issued a fix for VMware Horizon DaaS.
Mar 23 2017 (VMware Issues Fix for VMware vRealize Hyperic) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
VMware has issued a fix for VMware vRealize Hyperic.
Mar 28 2017 (VMware Issues Fix for VMware vRealize Operations Manager) Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
VMware has issued a fix for VMware vRealize Operations Manager 6.2.1, 6.3, 6.4, and 6.5.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC