Note to readers

This publication does not currently meet the Government of Canada's Web Standards. The information remains valid.

Security Fixes for Apache Struts Jakarta Multipart Parser

Number: AV17-028
Date: 10 March 2017

Purpose

The purpose of this advisory is to raise awareness of Security Fixes for Apache Struts Jakarta Multipart Parser. A software upgrade and a work around are now available.

Assessment

Security fixes and a workaround to address a vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. in Apache Struts Jakarta Multipart Parser has been released. The vulnerability could allow an attacker to achieve a remote code execution. The severity of the issue is critical.

Versions affected:

  • Struts 2.3.5 - Struts 2.3.31
  • Struts 2.5 - Struts 2.5.10

Suggested action

CCIRC recommends that system administrators test and deploy the vendor-released updates or work around to affected applications accordingly.

References

CVE: CVE-2017-5638
https://cwiki.apache.org/confluence/display/WW/S2-045

7 March 2017 - Struts 2.5.10.1 General Availability
https://struts.apache.org/announce.html

Date modified: