Understanding the CVE-2017-5638 Struts2 RCE: Impact, Stats, and Fixes

Apache Struts2, one of the most popular Java web frameworks, disclosed its first high‑severity vulnerability of the year on March 7 – CVE‑2017‑5638.

The flaw resides in the Jakarta Multipart parser plugin, allowing remote code execution when an attacker manipulates the

Content-Type

header of an HTTP request during file upload.

Two charts illustrate the worldwide and China‑specific distribution of vulnerable Struts installations.

Impact Statistics

Within 36 hours of the March 7 disclosure, over 22,000 scans were performed using the Green Alliance cloud emergency detection service. Analysis of the data shows:

Education sector most affected (23% of vulnerable sites), followed by government (19%), finance (17%), internet (10%), telecom (3%) and other sectors (27%).

Geographically, economically developed regions such as Beijing, Guangdong, Zhejiang, Shanghai and Fujian had the highest concentration of vulnerable sites, with detection percentages of 22%, 9.8%, 8.2%, 7.8% and 4.9% respectively.

In terms of response speed, finance, government and education organizations were the most proactive, with the finance sector often completing remediation within a few hours.

Detection and Remediation Options

The quickest way to check whether a server is vulnerable is to use the Green Alliance emergency detection service (access via the “Green Alliance Cloud” WeChat service menu).

1. Official Fix

Upgrade to a non‑vulnerable version: Struts 2.3.32 or Struts 2.5.10.1. Back up data before upgrading.

Download links:

https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32

https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1

2. Temporary Workaround

If upgrading is not feasible, add the following constant to

struts.xml

under the

struts

tag:

<constant name="struts.custom.i18n.resources" value="global" />

Then create a

global.properties

file in

WEB-INF/classes

with the line:

struts.messages.upload.error.InvalidContentTypeException=1

3. Technical Solutions

Enterprises without dedicated security appliances should use professional security products or services to scan and remediate the vulnerability. Vendors have released emergency update packages; apply them to firewalls, IDS/IPS, and web‑application scanners.

For ongoing protection, consider using Green Alliance remote assessment system (RSAS) or web‑application vulnerability scanners (WVSS) to prevent similar incidents.