It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.
Exploits are already disclosed, and payloads have varied and can now include IRC bouncer, DOS bot, and others various botnets.
Our products are not impacted as we do not use Apache Struts 2.
DenyAll WAF and i-Suite products
Our ICX default policy blocking the majority of the payloads used on the Content-Type header (as a Buffer Overflow), but you can also strengthen your policy by including the Command Injection pattern on the headers, especially on the Content-Type header.
By default, if still enabled, the payload will be blocked by the header size checking, but we recommend to enable the Scoringlist Engine on headers (Option ‘Use current Scoringlist to protect the request headers’) to mitigate the payload if the size vary.
To ensure more security, you can also activate the advanced engine ‘Scripting language injection protection code’ with the option ‘Protect request headers’.
DenyAll recommend to update your Apache Struts 2 as soon as possible as this vulnerability has been fixed in Apache Struts 2.3.32 and 184.108.40.206