Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
15 Mar 2017 Closed High CVSS v2: 10.0 SA145
Symantec Network Protection products using affected versions of Apache Struts 2 are susceptible to a remote code execution vulnerability. A remote attacker can exploit this vulnerability to execute arbitrary code with the privileges of the web application server.
No Symantec Network Protection products are vulnerable to CVE-2017-5638.
Additional Product Information
The following products are not vulnerable: Advanced Secure Gateway
Android Mobile Agent
Symantec HSM Agent for the Luna SP
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter Data Collector
Mail Threat Defense
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
ProxyAV ConLog and ConLogXP
Symantec no longer provides vulnerability information for the following products:
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.
The Jakarta Multipart parser in Apache Struts 2 does not handle correctly file upload HTTP requests with malicious Content-Type, Content-Disposition, and Content-Length headers. A remote attacker can send a file upload request with crafted headers and execute arbitrary code on the target system with the privileges of the web application server.
Blue Coat's ProxySG appliance can protect network servers by blocking the HTTP requests with malicious headers needed to exploit this vulnerability.
ProxySG 6.6 and 6.7 web application firewall (WAF) deployments block malicious HTTP requests exploiting all known attack vectors. The WAF Command Injection and Code Injection engines must be configured to scan HTTP request headers. For more information, see the Symantec Connect blog article on the Symantec WAF solution and CVE-2017-5638.
ProxySG 6.5, 6.6, and 6.7 non-WAF deployments can block malicious HTTP requests exploiting the Content-Type and Content-Length attack vectors, but not Content-Disposition vectors. All ProxySG 6.5, 6.6, and 6.7 releases can block requests with malicious Content-Type headers using the following CPL syntax: