Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1554 Multiple Vulnerabilities have been identified in Apache Struts prior to 2.3.29 20 June 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Struts Publisher: The Apache Software Foundation Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Request Forgery -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-4465 CVE-2016-4438 CVE-2016-4436 CVE-2016-4433 CVE-2016-4431 CVE-2016-4430 CVE-2016-0785 Reference: ESB-2016.0714 Original Bulletin: http://struts.apache.org/docs/s2-035.html http://struts.apache.org/docs/s2-036.html http://struts.apache.org/docs/s2-037.html http://struts.apache.org/docs/s2-038.html http://struts.apache.org/docs/s2-039.html http://struts.apache.org/docs/s2-040.html http://struts.apache.org/docs/s2-041.html Comment: This bulletin contains seven (7) Apache security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- S2-035 Summary Action name clean up is error prone Who should read this All Struts 2 developers and users Impact of vulnerability Possible way to craft vulnerable payload Maximum security rating Low Recommendation Upgrade to latest version of the Apache Struts, 2.3.29 or 2.5.1. Affected Software Struts 2.0.0 - Struts 2.3.28.1 Reporters Alvaro Munoz alvaro dot munoz at hpe dot com Sam Ng samn at hpe dot com CVE Identifier CVE-2016-4436 Problem The method used to clean up action name can produce vulnerable payload based on crafted input which can be used by attacker to perform unspecified attack. Solution You should upgrade to latest Struts version or implement your own version of ActionMapper based on source code of receomened Struts versions. Backward compatibility No issues expected when upgrading Struts version. Workaround Implement your own version of clean up method which will throw an exception. - --- S2-036 Summary Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (similar to S2-029) Who should read this All Struts 2 developers and users Impact of vulnerability Possible Remote Code Execution vulnerability Maximum security rating Medium Recommendation Always validate incoming parameters' values when re-assigning them to certain Struts' tags attributes. Don't use %{...} syntax in tag attributes other than value unless you have a valid use-case. Alternatively upgrade to Struts 2.3.29 or Struts 2.5.1 Affected Software Struts 2.0.0 - Struts 2.3.28.1 Reporters Alvaro Munoz alvaro dot munoz at hpe.com CVE Identifier CVE-2016-0785 Problem The same issue was reported in S2-029 but the proposed solutions were not fully proper. The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. Solution Adding a proper validation of each value that's coming in and it's used in tag's attributes. Don't use forced evaluation of an attribute other than value using %{...} syntax unless really needed for a valid use-case. By upgrading to Struts 2.3.29 or 2.5.1, possible malicious effects of forced double evaluation are limited. Backward compatibility Some backward incompatibility issues are expected when upgrading to Struts 2.3.28 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assigments. Workaround Not possible as this fix requires changes in OGNL and how Struts uses OGNL in certain aspects. - --- S2-037 Summary Remote Code Execution can be performed when using REST Plugin. Who should read this All Struts 2 developers and users Impact of vulnerability Possible Remote Code Execution Maximum security rating High Recommendation Upgrade to Struts 2.3.29. Affected Software Struts 2.3.20 - Struts Struts 2.3.28.1 Reporter Chao Jack PKAV jc1990999 at yahoo dot com Shinsaku Nomura nomura at bitforest dot jp CVE Identifier CVE-2016-4438 Problem It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when using the REST Plugin. Solution Upgrade to Apache Struts version 2.3.29. Backward compatibility Some backward incompatibility issues are expected when upgrading to Struts 2.3.28 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assigments. Workaround Not possible as this fix requires changes in OGNL and how Struts uses OGNL in certain aspects. - --- S2-038 Summary It is possible to bypass token validation and perform a CSRF attack Who should read this All Struts 2 developers and users Impact of vulnerability Possible CSRF attack Maximum security rating Medium Recommendation Upgrade to Struts 2.3.29. Affected Software Struts 2.3.20 - Struts Struts 2.3.28.1 Reporter Takeshi Terada websec02 dot g02 at gmail.com CVE Identifier CVE-2016-4430 Problem It is possible to pass a malicious expression which can be used to bypass token validation and perform CSRF attack. Solution Upgrade to Apache Struts version 2.3.29. Backward compatibility Some backward incompatibility issues are expected when upgrading to Struts 2.3.28 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assignments. Workaround You can try to use more restrictive RegEx used to clean up action names as below: <constant name="struts.allowed.action.names" value="[a-zA-Z]*" /> Please adjust the RegEx to your action naming pattern, it should be as narrowed as possible. - --- S2-039 Summary Getter as action method leads to security bypass Who should read this All Struts 2 developers and users Impact of vulnerability Possible manipulation of return result and bypassing validation Maximum security rating Medium Recommendation Upgrade to Struts 2.3.29. Affected Software Struts 2.3.20 - Struts Struts 2.3.28.1 Reporter Takeshi Terada websec02 dot g02 at gmail.com CVE Identifier CVE-2016-4433 Problem It is possible to pass a crafted request which can be used to bypass internal security mechanism and manipulate return string which can leads to redirecting user to unvalidated location. Solution Upgrade to Apache Struts version 2.3.29. Backward compatibility Some backward incompatibility issues are expected when upgrading to Struts 2.3.28 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assignments. Workaround You can try to use more restrictive RegEx used to clean up action names as below: <constant name="struts.allowed.action.names" value="[a-zA-Z]*" /> Please adjust the RegEx to your action naming pattern, it should be as narrowed as possible. - --- S2-040 Summary Input validation bypass using existing default action method. Who should read this All Struts 2 developers and users Impact of vulnerability Possible manipulation of return result and bypassing validation Maximum security rating Medium Recommendation Upgrade to Struts 2.3.29. Affected Software Struts 2.3.20 - Struts Struts 2.3.28.1 Reporter Takeshi Terada websec02 dot g02 at gmail.com CVE Identifier CVE-2016-4431 Problem Using existing default method it can be possible to bypass internal security mechanism and manipulate return string which can leads to redirecting user to unvalidated location. Solution Upgrade to Apache Struts version 2.3.29. Backward compatibility Some backward incompatibility issues are expected when upgrading to Struts 2.3.28 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assignments. Workaround You can try to use more restrictive RegEx used to clean up action names as below: <constant name="struts.allowed.action.names" value="[a-zA-Z]*" /> Please adjust the RegEx to your action naming pattern, it should be as narrowed as possible. - --- S2-041 Summary Possible DoS attack when using URLValidator Who should read this All Struts 2 developers and users Impact of vulnerability Possible DoS attack when using URLValidator Maximum security rating Low Recommendation Upgrade to Struts 2.3.29 or Struts 2.5.1 Affected Software Struts 2.3.20 - Struts Struts 2.3.28.1 and Struts 2.5 Reporter ASAI Ken tc535mr2 at gmail dot com CVE Identifier CVE-2016-4465 Problem If an application allows enter na URL field in a form and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution Upgrade to Apache Struts version 2.3.29 or 2.5.1. Backward compatibility No backward incompatibility issues are expected. Workaround You can redefine RegEx used by URLValidator as below: <validator type="url"> <param name="fieldName">myHomePage</param> <param name="urlRegex">^(https?|ftp):\\/\\/(([a-z0-9$_\\.\\+!\\*\\'\\(\\),;\\?&=-]|%[0-9a-f]{2})+(:([a-z0-9$_\\.\\+!\\*\\'\\(\\),;\\?&=-]|%[0-9a-f]{2})+)?@)?(#?)((([a-z0-9]\\.|[a-z0-9][a-z0-9-]*[a-z0-9]\\.)*[a-z][a-z0-9-]*[a-z0-9]|((\\d|[1-9]\\d|1\\d{2}|2[0-4][0-9]|25[0-5])\\.){3}(\\d|[1-9]\\d|1\\d{2}|2[0-4][0-9]|25[0-5]))(:\\d+)?)(((\\/{0,1}([a-z0-9$_\\.\\+!\\*\\'\\(\\),;:@&=-]|%[0-9a-f]{2})*)*(\\?([a-z0-9$_\\.\\+!\\*\\'\\(\\),;:@&=-]|%[0-9a-f]{2})*)?)?)?(#([a-z0-9$_\\.\\+!\\*\\'\\(\\),;:@&=-]|%[0-9a-f]{2})*)?$</param> <message>Invalid homepage url</message> </validator> - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV2drwYx+lLeg9Ub1AQh2QhAAmoVeNvoKJXmRCwn+n/HlZ7F6jERbZ3+W YIySzlYwk4n83piW7wwg2vhFovUeDtldohAhICre9lxWVcZjnQEB3gAS04OVolDJ wgiti4mp1IfQ0uTnm44SswCP/5l1wqX+wryZlVV3S+yA0BsvZp9vzI/il72fij8r S95wKOYiaqOqSyHnEcDuYikpXVr4XIC6Zb0f7R4qFfnk+hKdFMvxGxKVF8KH+YFd CTdslxuTvfkKoFRN1ljaHMtIznPvwZtzn5e3f13Oq0iDQSdJZN5K5K7IFBM125qp rMjbv8l1HntfNzldsx1bigtrFJOQSujfX3nHcFSiG4JYtANzmzNPiMOFgsTCUfJT wl22FKOhdqHUaUnnUryXU+ISfbleCPEbRZbdpUwjIB2zMi5cKfM8yRDrf+ahti0s Jp1f+kgxvOAUW/HBYeLAMzRWPrmPSVZmY65RwtmrDQfrFF/TPwppmzXetRPQpr60 ZS9pFSm8w6a+glw2xYlZnY7Vc0sXkx4or3a4B4/oDmC6g3MpvdTn2d5drpVziRdi 6J42oY/WuczQiFKa7WBCb0Os0FcswsfEAdcaFbQj06kFGGoYJb/+j/p+PBo4nSmc nxhTIBYRIQNPC7jTwHNy4S4ctFj7tsS8UxFgKvh59TVTXAf2hQ3O9lLaMqqBYHmS O69I1KfkF9w= =ti1/ -----END PGP SIGNATURE-----