Using Qualys WAF 2.0 to Protect Against Critical Apache Struts2 Vulnerability ( CVE-2017-5638 )

Document created by Vikas Phonsa on Mar 14, 2017Last modified by Robert Dell'Immagine on Apr 19, 2019
Version 2Show Document
  • View in full screen mode

On March 7, 2017, a critical vulnerability (CVE-2017-5638) in Apache Struts2 Jakarta multipart parser was disclosed, that exposes vulnerable applications to Remote Command Execution attacks. Exploits of this vulnerability can allow attackers to steal critical data or take control of your application servers.


This vulnerability is triggered by invalid values in the Content-Type header for multipart HTTP requests. Qualys Web Application Firewall (WAF) 2.0 allows you to easily create custom security rules to detect malicious Content-Type values and block attacks targeted at this vulnerability. WAF custom rules are very flexible and can be tailored to meet the specific security requirements of your website using a wide variety of HTTP request attributes. Whitelisting and blacklisting of content types, for your web application, can also be done in the HTTP Profiles of the Qualys WAF security configuration.


For more information on how to use Qualys WAF to protect again the Apache Struts2 vulnerability, please see this blog post.