Apache Struts2 Remote Code Execution Vulnerability (S2-045)

Apache Struts2 Remote Code Execution Vulnerability (S2-045)

março 9, 2017 | Adeline Zhang


Apache Struts2 is prone to a remote code execution vulnerability (CNNVD-201703-152) in the Jakarta Multipart parser plug-in. When uploading a file with this plug-in, an attacker could change the value of the Content-Type header field of an HTTP request to trigger this vulnerability, causing remote code execution.

For details, visit the following link:


Affected Versions

  • Struts 2.3.5 – Struts 2.3.31
  • Struts 2.5 – Struts 2.5.10

Unaffected Versions

  • Struts 2.3.32
  • Struts

Geographic Distribution of Struts2 Vulnerability

Vulnerability Analysis

Apache Struts2 is prone to a remote code execution vulnerability via the Content-Type header field of an HTTP request, an attacker could deliver malicious code to a vulnerable server causing remote code execution.

1. Vulnerability POC

2. Vulnerability Verification

3. Detailed Analysis

It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user. The preceding is the official vulnerability description.

As illustrated this vulnerability is due to the mishandling of error messages by Strust2. This vulnerability allows an attacker to inject OGNL expressions via the Content-Type header field to execute arbitrary code. The vulnerability analysis here targets Struts 2.3.24.The vulnerability POC shown below reveals how the attack commands are delivered to a vulnerable server via the Content-Type header field.

Due to the existence of #nike=’multipart/form-data’ amid parameters passed to the vulnerable server, the result of content_type.contains(“multipart/form-data”) is true, paving the way for the passing of attack code to the server.

During attack code passing to the server, “cat /etc/passwd” is assigned to the #cmd parameter. Then (#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd}) is executed to check the operating system type of the target host. After that, values are assigned to parameters to directive selectively.

The attack command to execute is as follows:

The entry of Struts2, FilterDispatcher.java first executes the doFilter function, then dispatcher.wrapRequest, and finally dispatcher.wrapRequest for request processing. The following figure shows the request wrapping method handling of the prepareDispatcherAndWrapRequest function.

The following figure depicts the command injection points:

For dispatcher.wrapRequest, when Content-Type is set to multipart/form-data, the MultiPartRequestWrapper function will be called for rapping upload requests transmitted in various ways that include Jakarta.

MultiPartRequestWrapper.java wraps the parse function:

The following figures shows the parse function:

Fix Action & Patch Link

Apache Struts


Apache Struts 2.3.32:


Vendor Solutions

Users are advised to upgrade Apache Struts to the latest secure version (Struts 2 2.3.32 or Struts by downloading the updates from the vendor’s official websites:

Struts 2.3.32:




Recommended Solutions

For external assets, use the emergency vulnerability detection service of NSFOCUS Cloud to check the vulnerability online. The services are available through the following links:


Remote Security Assessment System (RSAS V6):


Web Vulnerability Scanning System (WVSS):


NSFOCUS Network Intrusion Prevention System (NIPS):


NSFOCUS Intrusion Detection System (NIDS):


NSFOCUS Next-Generation Firewall (NF):


NSFOCUS Web Application Firewall (WAF):