Code Evaluation (Apache Struts) S2-045
Description
Apache Struts2 versions 2.3.5 through 2.3.31 and 2.5 through 2.5.10 contain a critical Remote Code Execution (RCE) vulnerability in the Jakarta Multipart parser used for file uploads. When processing file upload requests, the framework improperly handles malformed Content-Type header values, leading to an exception that triggers OGNL expression evaluation. Attackers can exploit this by injecting malicious OGNL code within the Content-Type header, which gets executed during error handling, allowing arbitrary command execution on the server.
Affected versions: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
Remediation
Immediately upgrade to a patched version of Apache Struts to eliminate this vulnerability:
For Struts 2.3.x users: Upgrade to Apache Struts 2.3.32 or later
For Struts 2.5.x users: Upgrade to Apache Struts 2.5.10.1 or later
Interim mitigation (if immediate patching is not possible):
1. Implement a servlet filter to validate and reject requests with suspicious Content-Type headers before they reach the Struts framework
2. Deploy a Web Application Firewall (WAF) with rules to block malicious Content-Type patterns
3. Restrict file upload functionality to authenticated users only where possible
Verification:
After upgrading, verify your Struts version by checking the struts2-core JAR file version in your application's dependencies. Test file upload functionality to ensure it operates correctly with the patched version.