Operating System:

[UNIX/Linux]

Published:

20 June 2016

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2016.1554 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1554
          Multiple Vulnerabilities have been identified in Apache
                          Struts prior to 2.3.29
                               20 June 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apache Struts
Publisher:         The Apache Software Foundation
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Request Forgery      -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-4465 CVE-2016-4438 CVE-2016-4436
                   CVE-2016-4433 CVE-2016-4431 CVE-2016-4430
                   CVE-2016-0785  

Reference:         ESB-2016.0714

Original Bulletin: 
   http://struts.apache.org/docs/s2-035.html
   http://struts.apache.org/docs/s2-036.html
   http://struts.apache.org/docs/s2-037.html
   http://struts.apache.org/docs/s2-038.html
   http://struts.apache.org/docs/s2-039.html
   http://struts.apache.org/docs/s2-040.html
   http://struts.apache.org/docs/s2-041.html

Comment: This bulletin contains seven (7) Apache security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

S2-035

Summary

Action name clean up is error prone

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible way to craft vulnerable payload

Maximum security rating

Low

Recommendation

Upgrade to latest version of the Apache Struts, 2.3.29 or 2.5.1.

Affected Software

Struts 2.0.0 - Struts 2.3.28.1

Reporters

Alvaro Munoz alvaro dot munoz at hpe dot com

Sam Ng samn at hpe dot com

CVE Identifier

CVE-2016-4436

Problem

The method used to clean up action name can produce vulnerable payload based 
on crafted input which can be used by attacker to perform unspecified attack.

Solution

You should upgrade to latest Struts version or implement your own version of 
ActionMapper based on source code of receomened Struts versions.

Backward compatibility

No issues expected when upgrading Struts version.

Workaround

Implement your own version of clean up method which will throw an exception.

- ---

S2-036

Summary

Forced double OGNL evaluation, when evaluated on raw user input in tag 
attributes, may lead to remote code execution (similar to S2-029)

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible Remote Code Execution vulnerability

Maximum security rating

Medium

Recommendation

Always validate incoming parameters' values when re-assigning them to certain
Struts' tags attributes.

Don't use %{...} syntax in tag attributes other than value unless you have a 
valid use-case.

Alternatively upgrade to Struts 2.3.29 or Struts 2.5.1

Affected Software

Struts 2.0.0 - Struts 2.3.28.1

Reporters

Alvaro Munoz alvaro dot munoz at hpe.com

CVE Identifier

CVE-2016-0785

Problem

The same issue was reported in S2-029 but the proposed solutions were not 
fully proper. The Apache Struts frameworks when forced, performs double 
evaluation of attributes' values assigned to certain tags so it is possible to
pass in a value that will be evaluated again when a tag's attributes will be 
rendered.

Solution

Adding a proper validation of each value that's coming in and it's used in 
tag's attributes.

Don't use forced evaluation of an attribute other than value using %{...} 
syntax unless really needed for a valid use-case.

By upgrading to Struts 2.3.29 or 2.5.1, possible malicious effects of forced 
double evaluation are limited.

Backward compatibility

Some backward incompatibility issues are expected when upgrading to Struts 
2.3.28 - it can happen that some OGNL expressions stop working because of 
performing disallowed arithmetic operations and assigments.

Workaround

Not possible as this fix requires changes in OGNL and how Struts uses OGNL in
certain aspects.

- ---

S2-037

Summary

Remote Code Execution can be performed when using REST Plugin.

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible Remote Code Execution

Maximum security rating

High

Recommendation

Upgrade to Struts 2.3.29.

Affected Software

Struts 2.3.20 - Struts Struts 2.3.28.1

Reporter

Chao Jack PKAV jc1990999 at yahoo dot com

Shinsaku Nomura nomura at bitforest dot jp

CVE Identifier

CVE-2016-4438

Problem

It is possible to pass a malicious expression which can be used to execute 
arbitrary code on server side when using the REST Plugin.

Solution

Upgrade to Apache Struts version 2.3.29.

Backward compatibility

Some backward incompatibility issues are expected when upgrading to Struts 
2.3.28 - it can happen that some OGNL expressions stop working because of 
performing disallowed arithmetic operations and assigments.

Workaround

Not possible as this fix requires changes in OGNL and how Struts uses OGNL in
certain aspects.

- ---

S2-038

Summary

It is possible to bypass token validation and perform a CSRF attack

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible CSRF attack

Maximum security rating

Medium

Recommendation

Upgrade to Struts 2.3.29.

Affected Software

Struts 2.3.20 - Struts Struts 2.3.28.1

Reporter

Takeshi Terada websec02 dot g02 at gmail.com

CVE Identifier

CVE-2016-4430

Problem

It is possible to pass a malicious expression which can be used to bypass 
token validation and perform CSRF attack.

Solution

Upgrade to Apache Struts version 2.3.29.

Backward compatibility

Some backward incompatibility issues are expected when upgrading to Struts 
2.3.28 - it can happen that some OGNL expressions stop working because of 
performing disallowed arithmetic operations and assignments.

Workaround

You can try to use more restrictive RegEx used to clean up action names as 
below:

<constant name="struts.allowed.action.names" value="[a-zA-Z]*" />

Please adjust the RegEx to your action naming pattern, it should be as 
narrowed as possible.

- ---

S2-039

Summary

Getter as action method leads to security bypass

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible manipulation of return result and bypassing validation

Maximum security rating

Medium

Recommendation

Upgrade to Struts 2.3.29.

Affected Software

Struts 2.3.20 - Struts Struts 2.3.28.1

Reporter

Takeshi Terada websec02 dot g02 at gmail.com

CVE Identifier

CVE-2016-4433

Problem

It is possible to pass a crafted request which can be used to bypass internal
security mechanism and manipulate return string which can leads to redirecting
user to unvalidated location.

Solution

Upgrade to Apache Struts version 2.3.29.

Backward compatibility

Some backward incompatibility issues are expected when upgrading to Struts 
2.3.28 - it can happen that some OGNL expressions stop working because of 
performing disallowed arithmetic operations and assignments.

Workaround

You can try to use more restrictive RegEx used to clean up action names as 
below:

<constant name="struts.allowed.action.names" value="[a-zA-Z]*" />

Please adjust the RegEx to your action naming pattern, it should be as 
narrowed as possible.

- ---

S2-040

Summary

Input validation bypass using existing default action method.

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible manipulation of return result and bypassing validation

Maximum security rating

Medium

Recommendation

Upgrade to Struts 2.3.29.

Affected Software

Struts 2.3.20 - Struts Struts 2.3.28.1

Reporter

Takeshi Terada websec02 dot g02 at gmail.com

CVE Identifier

CVE-2016-4431

Problem

Using existing default method it can be possible to bypass internal security 
mechanism and manipulate return string which can leads to redirecting user to
unvalidated location.

Solution

Upgrade to Apache Struts version 2.3.29.

Backward compatibility

Some backward incompatibility issues are expected when upgrading to Struts 
2.3.28 - it can happen that some OGNL expressions stop working because of 
performing disallowed arithmetic operations and assignments.

Workaround

You can try to use more restrictive RegEx used to clean up action names as 
below:

<constant name="struts.allowed.action.names" value="[a-zA-Z]*" />

Please adjust the RegEx to your action naming pattern, it should be as 
narrowed as possible.

- ---

S2-041

Summary

Possible DoS attack when using URLValidator

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible DoS attack when using URLValidator

Maximum security rating

Low

Recommendation

Upgrade to Struts 2.3.29 or Struts 2.5.1

Affected Software

Struts 2.3.20 - Struts Struts 2.3.28.1 and Struts 2.5

Reporter

ASAI Ken tc535mr2 at gmail dot com

CVE Identifier

CVE-2016-4465

Problem

If an application allows enter na URL field in a form and built-in 
URLValidator is used, it is possible to prepare a special URL which will be 
used to overload server process when performing validation of the URL.

Solution

Upgrade to Apache Struts version 2.3.29 or 2.5.1.

Backward compatibility

No backward incompatibility issues are expected.

Workaround

You can redefine RegEx used by URLValidator as below:

<validator type="url">
    <param name="fieldName">myHomePage</param>
    <param name="urlRegex">^(https?|ftp):\\/\\/(([a-z0-9$_\\.\\+!\\*\\'\\(\\),;\\?&=-]|%[0-9a-f]{2})+(:([a-z0-9$_\\.\\+!\\*\\'\\(\\),;\\?&=-]|%[0-9a-f]{2})+)?@)?(#?)((([a-z0-9]\\.|[a-z0-9][a-z0-9-]*[a-z0-9]\\.)*[a-z][a-z0-9-]*[a-z0-9]|((\\d|[1-9]\\d|1\\d{2}|2[0-4][0-9]|25[0-5])\\.){3}(\\d|[1-9]\\d|1\\d{2}|2[0-4][0-9]|25[0-5]))(:\\d+)?)(((\\/{0,1}([a-z0-9$_\\.\\+!\\*\\'\\(\\),;:@&=-]|%[0-9a-f]{2})*)*(\\?([a-z0-9$_\\.\\+!\\*\\'\\(\\),;:@&=-]|%[0-9a-f]{2})*)?)?)?(#([a-z0-9$_\\.\\+!\\*\\'\\(\\),;:@&=-]|%[0-9a-f]{2})*)?$</param>
    <message>Invalid homepage url</message>
</validator>

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV2drwYx+lLeg9Ub1AQh2QhAAmoVeNvoKJXmRCwn+n/HlZ7F6jERbZ3+W
YIySzlYwk4n83piW7wwg2vhFovUeDtldohAhICre9lxWVcZjnQEB3gAS04OVolDJ
wgiti4mp1IfQ0uTnm44SswCP/5l1wqX+wryZlVV3S+yA0BsvZp9vzI/il72fij8r
S95wKOYiaqOqSyHnEcDuYikpXVr4XIC6Zb0f7R4qFfnk+hKdFMvxGxKVF8KH+YFd
CTdslxuTvfkKoFRN1ljaHMtIznPvwZtzn5e3f13Oq0iDQSdJZN5K5K7IFBM125qp
rMjbv8l1HntfNzldsx1bigtrFJOQSujfX3nHcFSiG4JYtANzmzNPiMOFgsTCUfJT
wl22FKOhdqHUaUnnUryXU+ISfbleCPEbRZbdpUwjIB2zMi5cKfM8yRDrf+ahti0s
Jp1f+kgxvOAUW/HBYeLAMzRWPrmPSVZmY65RwtmrDQfrFF/TPwppmzXetRPQpr60
ZS9pFSm8w6a+glw2xYlZnY7Vc0sXkx4or3a4B4/oDmC6g3MpvdTn2d5drpVziRdi
6J42oY/WuczQiFKa7WBCb0Os0FcswsfEAdcaFbQj06kFGGoYJb/+j/p+PBo4nSmc
nxhTIBYRIQNPC7jTwHNy4S4ctFj7tsS8UxFgKvh59TVTXAf2hQ3O9lLaMqqBYHmS
O69I1KfkF9w=
=ti1/
-----END PGP SIGNATURE-----