Number: AV17-028
Date: 10 March 2017
Purpose
The purpose of this advisory is to raise awareness of Security Fixes for Apache Struts Jakarta Multipart Parser. A software upgrade and a work around are now available.
Assessment
Security fixes and a workaround to address a vulnerability in Apache Struts Jakarta Multipart Parser has been released. The vulnerability could allow an attacker to achieve a remote code execution. The severity of the issue is critical.
Versions affected:
- Struts 2.3.5 - Struts 2.3.31
- Struts 2.5 - Struts 2.5.10
Suggested action
CCIRC recommends that system administrators test and deploy the vendor-released updates or work around to affected applications accordingly.
References
CVE: CVE-2017-5638
https://cwiki.apache.org/confluence/display/WW/S2-045
7 March 2017 - Struts 2.5.10.1 General Availability
https://struts.apache.org/announce.html