Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.2285
Multiple Vulnerabilities have been identified in Apache
Struts prior to 2.3.34
11 September 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apache Struts 2
Publisher: The Apache Software Foundation
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-12611 CVE-2017-9805 CVE-2017-9804
CVE-2017-9793
Reference: ASB-2017.0139
ESB-2017.2266
Original Bulletin:
http://struts.apache.org/docs/s2-050.html
http://struts.apache.org/docs/s2-051.html
http://struts.apache.org/docs/s2-052.html
http://struts.apache.org/docs/s2-053.html
Comment: This bulletin contains four (4) The Apache Software Foundation
security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
S2-050
Summary
A regular expression Denial of Service when using URLValidator (similar to
S2-044 & S2-047)
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possible DoS attack when using URLValidator
Maximum security rating
Low
Recommendation
Upgrade to Struts 2.5.13 or Struts 2.3.34
Affected Software
Struts 2.3.7 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12
Reporter
Adam Cazzolla <acazzolla at sonatype dot com>, Jonathan Bullock <jonbullock at
gmail dot com>
CVE Identifier
CVE-2017-9804
Problem
The previous fix issued with S2-047 was incomplete. If an application allows
enter an URL in a form field and built-in URLValidator is used, it is possible
to prepare a special URL which will be used to overload server process when
performing validation of the URL.
Solution
Upgrade to Apache Struts version 2.5.13 or 2.3.34.
Backward compatibility
No backward incompatibility issues are expected.
Workaround
Instead of using the default RegEx provided by the UrlValidator you can use
the below one:
"^(?:https?|ftp):\\/\\/" +
"(?:(?:[a-z0-9$_.+!*'(),;?&=\\-]|%[0-9a-f]{2})+" +
"(?::(?:[a-z0-9$_.+!*'(),;?&=\\-]|%[0-9a-f]{2})+)?" +
"@)?#?" +
"(?:(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)*" +
"[a-z][a-z0-9-]*[a-z0-9]" +
"|(?:(?:[1-9]?\\d|1\\d{2}|2[0-4]\\d|25[0-5])\\.){3}" +
"(?:[1-9]?\\d|1\\d{2}|2[0-4]\\d|25[0-5])" +
")(?::\\d+)?" +
")(?:(?:\\/(?:[a-z0-9$_.+!*'(),;:@&=\\-]|%[0-9a-f]{2})*)*" +
"(?:\\?(?:[a-z0-9$_.+!*'(),;:@&=\\-\\/:]|%[0-9a-f]{2})*)?)?" +
"(?:#(?:[a-z0-9$_.+!*'(),;:@&=\\-]|%[0-9a-f]{2})*)?" +
"$"
- ---------------------------------------------------------------------
S2-051
Summary
A remote attacker may create a DoS attack by sending crafted xml request when
using the Struts REST plugin
Who should read this
All Struts 2 developers and users
Impact of vulnerability
A DoS attack is possible when using outdated XStream library with the Struts
REST plugin
Maximum security rating
Medium
Recommendation
Upgrade to Struts 2.5.13 or Struts 2.3.34
Affected Software
Struts 2.3.7 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12
Reporter
Huijun Chen, Xiaolong Zhu
CVE Identifier
CVE-2017-9793
Problem
The REST Plugin is using outdated XStream library which is vulnerable and
allow perform a DoS attack using malicious request with specially crafted XML
payload.
Solution
Upgrade to Apache Struts version 2.5.13 or 2.3.34.
Backward compatibility
No backward incompatibility issues are expected.
Workaround
When using Maven, you can exclude the XStream library and use the latest
1.4.10 version. In other case replace the XStream jar in your final
distribution package.
- -------------------------------------------------------------------
S2-052
Summary
Possible Remote Code Execution attack when using the Struts REST plugin with
XStream handler to handle XML payloads
Who should read this
All Struts 2 developers and users
Impact of vulnerability
A RCE attack is possible when using the Struts REST plugin with XStream
handler to deserialise XML requests
Maximum security rating
Critical
Recommendation
Upgrade to Struts 2.5.13 or Struts 2.3.34
Affected Software
Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12
Reporter
Man Yue Mo <mmo at semmle dot com> (lgtm.com / Semmle). More information on
the lgtm.com blog: https://lgtm.com/blog
CVE Identifier
CVE-2017-9805
Problem
The REST Plugin is using a XStreamHandler with an instance of XStream for
deserialization without any type filtering and this can lead to Remote Code
Execution when deserializing XML payloads.
Solution
Upgrade to Apache Struts version 2.5.13 or 2.3.34.
Backward compatibility
It is possible that some REST actions stop working because of applied default
restrictions on available classes. In such case please investigate the new
interfaces that was introduced to allow define class restrictions per action,
those interfaces are:
org.apache.struts2.rest.handler.AllowedClasses
org.apache.struts2.rest.handler.AllowedClassNames
org.apache.struts2.rest.handler.XStreamPermissionProvider
Workaround
The best option is to remove the Struts REST plugin when not used.
Alternatively you can only upgrade the plugin by dropping in all the required
JARs (plugin plus all dependencies). Another options is to limit th plugin to
server normal pages and JSONs only:
Disable handling XML pages and requests to such pages
<constant name="struts.action.extension" value="xhtml,,json" />
Override getContentType in XStreamHandler
public class MyXStreamHandler extends XStreamHandler { public String
getContentType() {
return "not-existing-content-type-@;/&%$#@";
}
}
Register the handler by overriding the one provided by the framework in your
struts.xml
<bean type="org.apache.struts2.rest.handler.ContentTypeHandler"
name="myXStreamHandmer" class="com.company.MyXStreamHandler"/>
<constant name="struts.rest.handlerOverride.xml" value="myXStreamHandler"/>
- -----------------------------------------------------------------
S2-053
Summary
A possible Remote Code Execution attack when using an unintentional expression
in Freemarker tag instead of string literals
Who should read this
All Struts 2 developers and users
Impact of vulnerability
A RCE attack is possible when developer is using wrong construction in
Freemarker tags
Maximum security rating
Moderate
Recommendation
Upgrade to Struts 2.5.12 or Struts 2.3.34
Affected Software
Struts 2.0.1 - Struts 2.3.33, Struts 2.5 - Struts 2.5.10
Reporter
Lupin <lupin1314 at gmail dot com> - jd.com security team
David Greene <david at trumpetx dot com>
Roland McIntosh <struts at rgm dot nu>
CVE Identifier
CVE-2017-12611
Problem
When using expression literals or forcing expression in Freemarker tags (see
example below) and using request values can lead to RCE attack.
<@s.hidden name="redirectUri" value=redirectUri />
<@s.hidden name="redirectUri" value="${redirectUri}" />
In both cases a writable property is used in the value attribute and in both
cases this is threatened as an expression by Freemarker.
Solution
Do not use such constructions in your code or use read-only properties to
initialise the value attribute (property with getter only). You can upgrade to
Apache Struts version 2.5.12 or 2.3.34 which contain more restricted
Freemarker configuration but removing vulnerable constructions is preferable.
Backward compatibility
No backward incompatibility issues are expected.
Workaround
Inspect your code and remove vulnerable constructions.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWbXqgIx+lLeg9Ub1AQgGzA//RZ8WwMGuEEBtn+Ko6++VxgqwXd63RRTb
+59nr84MxQm3Ss3uHyRqsBu48urJZgPF16Ue+K1xFxVrbUv9Qyiz6ZNk5LNwPM7H
jWhSYAnlnkCSeb6akM7SWxGVNjVfdrhuL8tAS5OvfLgLiJGAp7hMlidYzQs3DFVg
mUaJK3uCheYkUzU6PZszsi/g7cSMoGkKhuRLkynq3vceFEVXUYSTki2b6cfC+dwa
FUoFDTEDj//FxBWmR185GOqfDQoeE2QT9aB0+bKjKEHCHn80DjLM4xIkJequA92V
vRXBVcT4YskC/wZ3jIsDZUHqQlR2mFa3ZDC04iLY3bRZ6EhEVsuv4GFMLzXle0ZR
/XzqxYRQn1E0XgwsheV1a+cM7uICfc4nQFwCB6NQmvgtCTPdHLkLtAmo06YH2dY6
HOdYgarKpvSh/eTTVYaFJvWLCLl3iKn1tkZ5prKs6IXxJ8w+TvFpnwXFr79YuXgt
jPrkUsq/RhwFNf37n7fxw66IZcRdPtO1TGR4yfjOAoWtrUqMblrSJNlwm8e3Siap
woane5QNbWrXI9689NArB6SgvjSe2I/R6sbVKgbYldYB1dH90CdkKLXg41gbz443
aY9jkwk5cfR2dJ7yGv+CxeSy7zJe6qiqW1wcgRfF+1Opgj65dvIRP3ZuqVbMkfZs
mPvmL388aMc=
=3XwZ
-----END PGP SIGNATURE-----