ESB-2017.3093 - [UNIX/Linux] Apache Struts 2: Multiple vulnerabilities 2017-12-04

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.3093
     Multiple vulnerabilities have been identified in Apache Struts 2
                              4 December 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apache Struts 2
Publisher:         The Apache Software Foundation
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-15707 CVE-2017-7525 

Reference:         ESB-2017.2956
                   ESB-2017.2879
                   ESB-2017.2846
                   ESB-2017.1863

Original Bulletin: 
   https://cwiki.apache.org/confluence/display/WW/S2-054
   https://cwiki.apache.org/confluence/display/WW/S2-055

Comment: This bulletin contains two (2) The Apache Software Foundation 
         security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

S2-054
Created by Lukasz Lenart, last modified on Dec 01, 2017

Summary
A crafted JSON request can be used to perform a DoS attack when using the 
Struts REST plugin

Who should read this
All Struts 2 developers and users which are using the REST plugin

Impact of vulnerability
A DoS attack is possible when using outdated json-lib with the Struts REST plugin

Maximum security rating
Medium

Recommendation
Upgrade to Struts 2.5.14.1

Affected Software
Struts 2.5 - Struts 2.5.14

Reporter
Huijun Chen, XiaoLong Zhu - Huawei Technologies

CVE Identifier
CVE-2017-15707

Problem
The REST Plugin is using an outdated JSON-lib library which is vulnerable and 
allow perform a DoS attack using malicious request with specially crafted JSON
payload.

Solution

Upgrade to Apache Struts version 2.5.14.1. Another solution is to use the
Jackson handler instead of the default JSON-lib handler as described here.

Backward compatibility
No backward incompatibility issues are expected.

Workaround
Use Jackson handler instead of the default JSON-lib handler as described here.

- -------------------------------------------------------------------------------
S2-055
Created by Lukasz Lenart, last modified on Dec 01, 2017

Summary
Vulnerability in the Jackson JSON library

Who should read this
All Struts 2 developers and users which are using the REST plugin

Impact of vulnerability
Not clear, please read the linked issue for more details. 
https://github.com/FasterXML/jackson-databind/issues/1599

Maximum security rating
Medium

Recommendation
Upgrade to Struts 2.5.14.1

Affected Software
Struts 2.5 - Struts 2.5.14

Reporter
David Dillard < david dot dillard at veritas dot com> - Veritas Technologies
Product Security Group

CVE Identifier
Related to CVE-2017-7525

Problem
A vulnerability was detected in the latest Jackson JSON library, which was 
reported here. Upgrade com.fasterxml.jackson to version 2.9.2 to address 
CVE-2017-7525.

Solution
Upgrade to Apache Struts version 2.5.14.1. Another solution is to manually 
upgrade Jackson dependencies in your project to not vulnerable versions, see
this comment.

Backward compatibility
No backward incompatibility issues are expected.

Workaround

Upgrade Jackson JSON library to the latest version.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWiTTJYx+lLeg9Ub1AQiYYxAAmVEky5ZU15rHI9S5CXWWwbgnmG6uhDh5
e//LWlaKRSVlQTV7v1mDiX9uhL+OVdQAahejr8X0fchr1BAI+AUZXEQv3lQLUkW1
FLPqQsP8wBAjNxNXPBEQPtw63BNtH4EiyaiA7w/GEAF9QZRREc9vk+DSX7cB1Hmx
DlZUQ3ea7N/q6tWsdvumWgpZovlpvALHg6AJFCTg0H7vvG5BdgXbUBUd+C4KTQEP
iZbNtYmdSnFVGcCRyNRtfvPdgar6uVcvNHjFaWiGRq6Hzt2S1E5Uq5f203baN1X5
b40pdKI9qSgP+plXqhoc2oBqhcN76arbdrJ9TvJmB63mdBjLdX28wDog+QLMFFj4
zHU0T3LP1C5Jk6kA9fEv2fCxVtFcz4PBAcge44R6gta2+6dRmByiHcQYCVvKJ5e5
EVGRWlJhhVAgWISz9IbJmRIv3uJoU602HXTrVp/+ON5ljKjjKlmnltVmG6JBT6V7
9KGtpA7o1yCXIl7mZBQHTawbpMeKdcyyPoytxSoXxWf3kYgSazgH4hGFAyNVPBna
HTykTd0r2kwToETPzA2NgwGBdhgG3rgiLk/r79XxXbAM/zm2ql5AcBLsJsLc1XbP
Vfexal6qxRRashnQHJD4fedOoQjxDwossa/g7ojEgCdgsEQFN+pcXagYd1ufhByJ
7jRqW4hH+kc=
=2PP/
-----END PGP SIGNATURE-----

« Back to bulletins