==================================================================== CERT-Renater Note d'Information No. 2016/VULN236 _____________________________________________________________________ DATE : 03/06/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Struts versions prior to 2.3.20.3, 2.3.24.3, 2.3.28.1, Systems running OGNL versions prior to 3.0.12. ====================================================================== http://mail-archives.apache.org/mod_mbox/struts-user/201606.mbox/%3CCAMopvkOX0qosY3gtHz+pCo=o+Ap86udmFBdUYfZKBkAJFtiJQA@mail.gmail.com%3E http://struts.apache.org/docs/s2-034.html http://struts.apache.org/docs/s2-033.html ____________________________________________________________________ Two potential security vulnerabilities were reported which were already addressed in the latest Apache Struts 2 versions. Those reports just added other vectors of attack. http://struts.apache.org/announce.html#a20160601 - S2-033 Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled - http://struts.apache.org/docs/s2-033.html - S2-034 OGNL cache poisoning can lead to DoS vulnerability - http://struts.apache.org/docs/s2-034.html Please read carefully the Security Bulletins and take suggested actions. The simplest way to avoid those vulnerabilities in your application is to upgrade the Apache Struts to latest available version in 2.3.x series or to the Apache Struts 2.5. You can download those versions from our download page. http://struts.apache.org/download.html#struts-ga Kinds regards Łukasz + 48 606 323 122 http://www.lenart.org.pl/ ____________________________________________________________________ S2-034 Summary OGNL cache poisoning can lead to DoS vulnerability Who should read this All Struts 2 developers and users Impact of vulnerability Possible DoS attack Maximum security rating Important Recommendation This issue was resolved by publising new OGNL version, any Struts version which at least is using OGNL 3.0.12 is safe. Affected Software Struts 2.0.0 - Struts 2.3.24.1 Reporters Tao Wang wangtao12 at baidu dot com - Baidu Security Response Center CVE Identifier CVE-2016-3093 Problem The OGNL expression language used by the Apache Struts framework has inproper implementaion of cache used to store method references. It's possible to prepare a DoS attack which can block access to a web site. Solution You can should upgrade OGNL at least to version 3.0.12 or by upgrading to latest Struts version. Backward compatibility No issues expected when upgrading to OGNL or Struts. Workaround Not possible except upgrading OGNL as mentioned above. ____________________________________________________________________ S2-033 Summary Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled. Who should read this All Struts 2 developers and users Impact of vulnerability Possible Remote Code Execution Maximum security rating High Recommendation Disable Dynamic Method Invocation if possible. Alternatively upgrade to Struts 2.3.20.3, Struts 2.3.24.3 or Struts 2.3.28.1. Affected Software Struts 2.3.20 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3) Reporter Alvaro Munoz alvaro dot munoz at hpe dot com CVE Identifier CVE-2016-3087 Problem It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled when using the REST Plugin. Solution Disable Dynamic Method Invocation when possible or upgrade to Apache Struts versions 2.3.20.3, 2.3.24.3 or 2.3.28.1. Backward compatibility No issues expected when upgrading to Struts 2.3.20.3, 2.3.24.3 and 2.3.28.1 Workaround Disable Dynamic Method Invocation or implement your own version of RestActionMapper. ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================