ESB-2017.2285 - [Win][UNIX/Linux] Apache Struts 2: Multiple vulnerabilities 2017-09-11

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2285
          Multiple Vulnerabilities have been identified in Apache
                          Struts prior to 2.3.34
                             11 September 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apache Struts 2
Publisher:         The Apache Software Foundation
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-12611 CVE-2017-9805 CVE-2017-9804
                   CVE-2017-9793  

Reference:         ASB-2017.0139
                   ESB-2017.2266

Original Bulletin: 
   http://struts.apache.org/docs/s2-050.html
   http://struts.apache.org/docs/s2-051.html
   http://struts.apache.org/docs/s2-052.html
   http://struts.apache.org/docs/s2-053.html

Comment: This bulletin contains four (4) The Apache Software Foundation 
         security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

S2-050

Summary

A regular expression Denial of Service when using URLValidator (similar to 
S2-044 & S2-047)

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible DoS attack when using URLValidator

Maximum security rating

Low

Recommendation

Upgrade to Struts 2.5.13 or Struts 2.3.34

Affected Software

Struts 2.3.7 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12

Reporter

Adam Cazzolla <acazzolla at sonatype dot com>, Jonathan Bullock <jonbullock at
gmail dot com>

CVE Identifier

CVE-2017-9804

Problem

The previous fix issued with S2-047 was incomplete. If an application allows 
enter an URL in a form field and built-in URLValidator is used, it is possible
to prepare a special URL which will be used to overload server process when 
performing validation of the URL.

Solution

Upgrade to Apache Struts version 2.5.13 or 2.3.34.

Backward compatibility

No backward incompatibility issues are expected.

Workaround

Instead of using the default RegEx provided by the UrlValidator you can use 
the below one:

"^(?:https?|ftp):\\/\\/" +

"(?:(?:[a-z0-9$_.+!*'(),;?&=\\-]|%[0-9a-f]{2})+" +

"(?::(?:[a-z0-9$_.+!*'(),;?&=\\-]|%[0-9a-f]{2})+)?" +

"@)?#?" +

"(?:(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)*" +

"[a-z][a-z0-9-]*[a-z0-9]" +

"|(?:(?:[1-9]?\\d|1\\d{2}|2[0-4]\\d|25[0-5])\\.){3}" +

"(?:[1-9]?\\d|1\\d{2}|2[0-4]\\d|25[0-5])" +

")(?::\\d+)?" +

")(?:(?:\\/(?:[a-z0-9$_.+!*'(),;:@&=\\-]|%[0-9a-f]{2})*)*" +

"(?:\\?(?:[a-z0-9$_.+!*'(),;:@&=\\-\\/:]|%[0-9a-f]{2})*)?)?" +

"(?:#(?:[a-z0-9$_.+!*'(),;:@&=\\-]|%[0-9a-f]{2})*)?" +

"$"

- ---------------------------------------------------------------------

S2-051

Summary

A remote attacker may create a DoS attack by sending crafted xml request when
using the Struts REST plugin

Who should read this

All Struts 2 developers and users

Impact of vulnerability

A DoS attack is possible when using outdated XStream library with the Struts 
REST plugin

Maximum security rating

Medium

Recommendation

Upgrade to Struts 2.5.13 or Struts 2.3.34

Affected Software

Struts 2.3.7 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12

Reporter

Huijun Chen, Xiaolong Zhu

CVE Identifier

CVE-2017-9793

Problem

The REST Plugin is using outdated XStream library which is vulnerable and 
allow perform a DoS attack using malicious request with specially crafted XML
payload.

Solution

Upgrade to Apache Struts version 2.5.13 or 2.3.34.

Backward compatibility

No backward incompatibility issues are expected.

Workaround

When using Maven, you can exclude the XStream library and use the latest 
1.4.10 version. In other case replace the XStream jar in your final 
distribution package.

- -------------------------------------------------------------------

S2-052

Summary

Possible Remote Code Execution attack when using the Struts REST plugin with 
XStream handler to handle XML payloads

Who should read this

All Struts 2 developers and users

Impact of vulnerability

A RCE attack is possible when using the Struts REST plugin with XStream 
handler to deserialise XML requests

Maximum security rating

Critical

Recommendation

Upgrade to Struts 2.5.13 or Struts 2.3.34

Affected Software

Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12

Reporter

Man Yue Mo <mmo at semmle dot com> (lgtm.com / Semmle). More information on 
the lgtm.com blog: https://lgtm.com/blog

CVE Identifier

CVE-2017-9805

Problem

The REST Plugin is using a XStreamHandler with an instance of XStream for 
deserialization without any type filtering and this can lead to Remote Code 
Execution when deserializing XML payloads.

Solution

Upgrade to Apache Struts version 2.5.13 or 2.3.34.

Backward compatibility

It is possible that some REST actions stop working because of applied default
restrictions on available classes. In such case please investigate the new 
interfaces that was introduced to allow define class restrictions per action,
those interfaces are:

org.apache.struts2.rest.handler.AllowedClasses

org.apache.struts2.rest.handler.AllowedClassNames

org.apache.struts2.rest.handler.XStreamPermissionProvider

Workaround

The best option is to remove the Struts REST plugin when not used. 
Alternatively you can only upgrade the plugin by dropping in all the required
JARs (plugin plus all dependencies). Another options is to limit th plugin to
server normal pages and JSONs only:

Disable handling XML pages and requests to such pages

<constant name="struts.action.extension" value="xhtml,,json" />

Override getContentType in XStreamHandler

public class MyXStreamHandler extends XStreamHandler { public String 
getContentType() {

 return "not-existing-content-type-@;/&%$#@";

 }

}

Register the handler by overriding the one provided by the framework in your 
struts.xml

<bean type="org.apache.struts2.rest.handler.ContentTypeHandler" 
name="myXStreamHandmer" class="com.company.MyXStreamHandler"/>

<constant name="struts.rest.handlerOverride.xml" value="myXStreamHandler"/>

- -----------------------------------------------------------------

S2-053

Summary

A possible Remote Code Execution attack when using an unintentional expression
in Freemarker tag instead of string literals

Who should read this

All Struts 2 developers and users

Impact of vulnerability

A RCE attack is possible when developer is using wrong construction in 
Freemarker tags

Maximum security rating

Moderate

Recommendation

Upgrade to Struts 2.5.12 or Struts 2.3.34

Affected Software

Struts 2.0.1 - Struts 2.3.33, Struts 2.5 - Struts 2.5.10

Reporter

Lupin <lupin1314 at gmail dot com> - jd.com security team

David Greene <david at trumpetx dot com>

Roland McIntosh <struts at rgm dot nu>

CVE Identifier

CVE-2017-12611

Problem

When using expression literals or forcing expression in Freemarker tags (see 
example below) and using request values can lead to RCE attack.

<@s.hidden name="redirectUri" value=redirectUri />

<@s.hidden name="redirectUri" value="${redirectUri}" />

In both cases a writable property is used in the value attribute and in both 
cases this is threatened as an expression by Freemarker.

Solution

Do not use such constructions in your code or use read-only properties to 
initialise the value attribute (property with getter only). You can upgrade to
Apache Struts version 2.5.12 or 2.3.34 which contain more restricted 
Freemarker configuration but removing vulnerable constructions is preferable.

Backward compatibility

No backward incompatibility issues are expected.

Workaround

Inspect your code and remove vulnerable constructions.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWbXqgIx+lLeg9Ub1AQgGzA//RZ8WwMGuEEBtn+Ko6++VxgqwXd63RRTb
+59nr84MxQm3Ss3uHyRqsBu48urJZgPF16Ue+K1xFxVrbUv9Qyiz6ZNk5LNwPM7H
jWhSYAnlnkCSeb6akM7SWxGVNjVfdrhuL8tAS5OvfLgLiJGAp7hMlidYzQs3DFVg
mUaJK3uCheYkUzU6PZszsi/g7cSMoGkKhuRLkynq3vceFEVXUYSTki2b6cfC+dwa
FUoFDTEDj//FxBWmR185GOqfDQoeE2QT9aB0+bKjKEHCHn80DjLM4xIkJequA92V
vRXBVcT4YskC/wZ3jIsDZUHqQlR2mFa3ZDC04iLY3bRZ6EhEVsuv4GFMLzXle0ZR
/XzqxYRQn1E0XgwsheV1a+cM7uICfc4nQFwCB6NQmvgtCTPdHLkLtAmo06YH2dY6
HOdYgarKpvSh/eTTVYaFJvWLCLl3iKn1tkZ5prKs6IXxJ8w+TvFpnwXFr79YuXgt
jPrkUsq/RhwFNf37n7fxw66IZcRdPtO1TGR4yfjOAoWtrUqMblrSJNlwm8e3Siap
woane5QNbWrXI9689NArB6SgvjSe2I/R6sbVKgbYldYB1dH90CdkKLXg41gbz443
aY9jkwk5cfR2dJ7yGv+CxeSy7zJe6qiqW1wcgRfF+1Opgj65dvIRP3ZuqVbMkfZs
mPvmL388aMc=
=3XwZ
-----END PGP SIGNATURE-----

« Back to bulletins