==================================================================== CERT-Renater Note d'Information No. 2016/VULN182 _____________________________________________________________________ DATE : 26/04/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Struts version 2 prior to 2.3.20.2, 2.3.24.2, 2.3.28.1. ====================================================================== https://struts.apache.org/docs/s2-031.html https://struts.apache.org/docs/s2-032.html ____________________________________________________________________ XSLTResult can be used to parse arbitrary stylesheet Who should read this All Struts 2 developers and users Impact of vulnerability Possible Remote Code Execution Maximum security rating Medium Recommendation Always validate type and content of uploaded files, do not expose them directly in your web application. Alternatively upgrade to Struts 2.3.20.2, Struts 2.3.24.2 or Struts 2.3.28.1. Affected Software Struts 2.0.0 - Struts Struts 2.3.28 (except 2.3.20.2 and 2.3.24.2) Reporter GENXOR - genxors at gmail dot com - Qihoo 360 SkyEye Lab CVE Identifier CVE-2016-3082 Problem XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code. Solution Always validate type and content of uploaded files. We encourage you to upgrade to one of the versions of the Apache Struts presented above. Backward compatibility No issues expected when upgrading to Struts 2.3.20.2, 2.3.24.2 and 2.3.28.1 Workaround Implement your own XSLTResult based on code of the recommended versions. be.net/download. As usual, don’t forget to backup your data before updating! ____________________________________________________________________ S2-032 Summary Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled. Who should read this All Struts 2 developers and users Impact of vulnerability Possible Remote Code Execution Maximum security rating High Recommendation Disable Dynamic Method Invocation if possible. Alternatively upgrade to Struts 2.3.20.2, Struts 2.3.24.2 or Struts 2.3.28.1. Affected Software Struts 2.3.20 - Struts Struts 2.3.28 (except 2.3.20.2 and 2.3.24.2) Reporter Nike Zheng nike dot zheng at dbappsecurity dot com dot cn CVE Identifier CVE-2016-3081 Problem It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled. Solution Disable Dynamic Method Invocation when possible or upgrade to Apache Struts versions 2.3.20.2, 2.3.24.2 or 2.3.28.1. Backward compatibility No issues expected when upgrading to Struts 2.3.20.2, 2.3.24.2 and 2.3.28.1 Workaround Disable Dynamic Method Invocation or implement your own version of ActionMapper based on a source code of the recommended Apache Struts versions. ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================