Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2285 Multiple Vulnerabilities have been identified in Apache Struts prior to 2.3.34 11 September 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Struts 2 Publisher: The Apache Software Foundation Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-12611 CVE-2017-9805 CVE-2017-9804 CVE-2017-9793 Reference: ASB-2017.0139 ESB-2017.2266 Original Bulletin: http://struts.apache.org/docs/s2-050.html http://struts.apache.org/docs/s2-051.html http://struts.apache.org/docs/s2-052.html http://struts.apache.org/docs/s2-053.html Comment: This bulletin contains four (4) The Apache Software Foundation security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- S2-050 Summary A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047) Who should read this All Struts 2 developers and users Impact of vulnerability Possible DoS attack when using URLValidator Maximum security rating Low Recommendation Upgrade to Struts 2.5.13 or Struts 2.3.34 Affected Software Struts 2.3.7 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12 Reporter Adam Cazzolla <acazzolla at sonatype dot com>, Jonathan Bullock <jonbullock at gmail dot com> CVE Identifier CVE-2017-9804 Problem The previous fix issued with S2-047 was incomplete. If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution Upgrade to Apache Struts version 2.5.13 or 2.3.34. Backward compatibility No backward incompatibility issues are expected. Workaround Instead of using the default RegEx provided by the UrlValidator you can use the below one: "^(?:https?|ftp):\\/\\/" + "(?:(?:[a-z0-9$_.+!*'(),;?&=\\-]|%[0-9a-f]{2})+" + "(?::(?:[a-z0-9$_.+!*'(),;?&=\\-]|%[0-9a-f]{2})+)?" + "@)?#?" + "(?:(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)*" + "[a-z][a-z0-9-]*[a-z0-9]" + "|(?:(?:[1-9]?\\d|1\\d{2}|2[0-4]\\d|25[0-5])\\.){3}" + "(?:[1-9]?\\d|1\\d{2}|2[0-4]\\d|25[0-5])" + ")(?::\\d+)?" + ")(?:(?:\\/(?:[a-z0-9$_.+!*'(),;:@&=\\-]|%[0-9a-f]{2})*)*" + "(?:\\?(?:[a-z0-9$_.+!*'(),;:@&=\\-\\/:]|%[0-9a-f]{2})*)?)?" + "(?:#(?:[a-z0-9$_.+!*'(),;:@&=\\-]|%[0-9a-f]{2})*)?" + "$" - --------------------------------------------------------------------- S2-051 Summary A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin Who should read this All Struts 2 developers and users Impact of vulnerability A DoS attack is possible when using outdated XStream library with the Struts REST plugin Maximum security rating Medium Recommendation Upgrade to Struts 2.5.13 or Struts 2.3.34 Affected Software Struts 2.3.7 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12 Reporter Huijun Chen, Xiaolong Zhu CVE Identifier CVE-2017-9793 Problem The REST Plugin is using outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload. Solution Upgrade to Apache Struts version 2.5.13 or 2.3.34. Backward compatibility No backward incompatibility issues are expected. Workaround When using Maven, you can exclude the XStream library and use the latest 1.4.10 version. In other case replace the XStream jar in your final distribution package. - ------------------------------------------------------------------- S2-052 Summary Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads Who should read this All Struts 2 developers and users Impact of vulnerability A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests Maximum security rating Critical Recommendation Upgrade to Struts 2.5.13 or Struts 2.3.34 Affected Software Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12 Reporter Man Yue Mo <mmo at semmle dot com> (lgtm.com / Semmle). More information on the lgtm.com blog: https://lgtm.com/blog CVE Identifier CVE-2017-9805 Problem The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads. Solution Upgrade to Apache Struts version 2.5.13 or 2.3.34. Backward compatibility It is possible that some REST actions stop working because of applied default restrictions on available classes. In such case please investigate the new interfaces that was introduced to allow define class restrictions per action, those interfaces are: org.apache.struts2.rest.handler.AllowedClasses org.apache.struts2.rest.handler.AllowedClassNames org.apache.struts2.rest.handler.XStreamPermissionProvider Workaround The best option is to remove the Struts REST plugin when not used. Alternatively you can only upgrade the plugin by dropping in all the required JARs (plugin plus all dependencies). Another options is to limit th plugin to server normal pages and JSONs only: Disable handling XML pages and requests to such pages <constant name="struts.action.extension" value="xhtml,,json" /> Override getContentType in XStreamHandler public class MyXStreamHandler extends XStreamHandler { public String getContentType() { return "not-existing-content-type-@;/&%$#@"; } } Register the handler by overriding the one provided by the framework in your struts.xml <bean type="org.apache.struts2.rest.handler.ContentTypeHandler" name="myXStreamHandmer" class="com.company.MyXStreamHandler"/> <constant name="struts.rest.handlerOverride.xml" value="myXStreamHandler"/> - ----------------------------------------------------------------- S2-053 Summary A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals Who should read this All Struts 2 developers and users Impact of vulnerability A RCE attack is possible when developer is using wrong construction in Freemarker tags Maximum security rating Moderate Recommendation Upgrade to Struts 2.5.12 or Struts 2.3.34 Affected Software Struts 2.0.1 - Struts 2.3.33, Struts 2.5 - Struts 2.5.10 Reporter Lupin <lupin1314 at gmail dot com> - jd.com security team David Greene <david at trumpetx dot com> Roland McIntosh <struts at rgm dot nu> CVE Identifier CVE-2017-12611 Problem When using expression literals or forcing expression in Freemarker tags (see example below) and using request values can lead to RCE attack. <@s.hidden name="redirectUri" value=redirectUri /> <@s.hidden name="redirectUri" value="${redirectUri}" /> In both cases a writable property is used in the value attribute and in both cases this is threatened as an expression by Freemarker. Solution Do not use such constructions in your code or use read-only properties to initialise the value attribute (property with getter only). You can upgrade to Apache Struts version 2.5.12 or 2.3.34 which contain more restricted Freemarker configuration but removing vulnerable constructions is preferable. Backward compatibility No backward incompatibility issues are expected. Workaround Inspect your code and remove vulnerable constructions. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWbXqgIx+lLeg9Ub1AQgGzA//RZ8WwMGuEEBtn+Ko6++VxgqwXd63RRTb +59nr84MxQm3Ss3uHyRqsBu48urJZgPF16Ue+K1xFxVrbUv9Qyiz6ZNk5LNwPM7H jWhSYAnlnkCSeb6akM7SWxGVNjVfdrhuL8tAS5OvfLgLiJGAp7hMlidYzQs3DFVg mUaJK3uCheYkUzU6PZszsi/g7cSMoGkKhuRLkynq3vceFEVXUYSTki2b6cfC+dwa FUoFDTEDj//FxBWmR185GOqfDQoeE2QT9aB0+bKjKEHCHn80DjLM4xIkJequA92V vRXBVcT4YskC/wZ3jIsDZUHqQlR2mFa3ZDC04iLY3bRZ6EhEVsuv4GFMLzXle0ZR /XzqxYRQn1E0XgwsheV1a+cM7uICfc4nQFwCB6NQmvgtCTPdHLkLtAmo06YH2dY6 HOdYgarKpvSh/eTTVYaFJvWLCLl3iKn1tkZ5prKs6IXxJ8w+TvFpnwXFr79YuXgt jPrkUsq/RhwFNf37n7fxw66IZcRdPtO1TGR4yfjOAoWtrUqMblrSJNlwm8e3Siap woane5QNbWrXI9689NArB6SgvjSe2I/R6sbVKgbYldYB1dH90CdkKLXg41gbz443 aY9jkwk5cfR2dJ7yGv+CxeSy7zJe6qiqW1wcgRfF+1Opgj65dvIRP3ZuqVbMkfZs mPvmL388aMc= =3XwZ -----END PGP SIGNATURE-----