In the recent days we have noticed a new exploit variant related to this vulnerability. This new exploit attempts to inject Java code into the file name parameter of the multipart upload request.

 Figure 1:  Request example containing the new exploitation vector.

ASM is able to mitigate this new exploit variant using the following user-defined signature:

content:"com"; content:"opensymphony"; distance:0; re2:"/\bcom[\.\/]opensymphony\b/";


An official ASM Security Update including this fix has already been released.

An advisory has been published regarding a critical 0-day Remote Code Execution vulnerability in Apache Struts. The vulnerability resides in the Apache Jakarta multipart parser and is triggered when it tries to parse the Content-Type header of the HTTP request, allowing remote attackers to execute arbitrary code on the vulnerable server.

An exploit for this vulnerability has already been published.

Mitigation with Big-IP ASM

ASM customers are already protected against this vulnerability.

While exploiting this vulnerability attacker will try to send a malicious HTTP multipart request containing multiple Java code injection payloads. 

DevCentral CVE-2017-5638

Figure 2:  An attempt to exploit this vulnerability as it was cought on our honeypot.

The exploitation attempt will be detected by many existing Java Code Injection attack signatures and several OS command execution ones.

Figure 3: Exploit blocked with Attack Signature (200003459)

Figure 4: Exploit blocked with Attack Signature (200003471)

Figure 5: Exploit blocked with Attack Signature (200004153)

Figure 6: Exploit blocked with Attack Signature (200003450)

Figure 7: Exploit blocked with Attack Signature (200003058)

Figure 8: Exploit blocked with Attack Signature (200003441)

Mitigating with iRules

In the event you do not yet have ASM in your toolbelt, F5 has updated the official KB article to include an iRule that will protect your vulnerable web servers behind the BIG-IP.