An OGNL Expression Injection vulnerability in the Jakarta Multipart parser has recently been garnering a lot of attention (https://struts.apache.org/docs/s2-045.html). The parser is used in Apache Struts 2, versions 2.3.x (2.3.5 - 2.3.32) and 2.5.x (below 220.127.116.11). The vulnerability allows a remote attacker to inject OGNL expressions using a malformed multipart request and is assigned CVE-2017-5638. The attack payload may be used to modify the Struts environment or to execute operating system commands. Below is a quick assessment of the vulnerability.
HTTP requests can indicate a multipart request body by using a value of ‘multipart/form-data’ in the content-type header. When doing so, Apache Struts 2 expects a valid multipart formatted request body. Lack of such a body will trigger an error using various OGNL expressions along the code path. The generation of the error allows for the content-type header to be injected into such an expression without sufficient validation. Hence, the vulnerability.
To exploit the vulnerability, an OGNL expression may be submitted along with a multipart content-type header. The expression may be constructed to update various configurations in the Struts 2 environment. For example, Fortify WebInspect sends an attack payload that adds a new HTTP header to the immediate response.
In this scenario, a vulnerable server will add the injected headers in the HTTP response following the attack request, indicating the execution of the payload. Similarly, the payload may also be constructed to execute operating system commands on a remote shell and the results of the command may be routed back through the HTTP response. From the above scenarios, it can be seen that the underlying vulnerability is an OGNL expression injection, but it can be leveraged to perform more dangerous OS command executions.
A Fortify WebInspect check to detect this vulnerability is now available through Smartupdate.