struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zahid Rahman <zahidr1...@gmail.com>
Subject Re: [ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233 (DoS) security issues
Date Fri, 14 Aug 2020 06:48:05 GMT
Thanks ,
I will setup  tomcat with apache
As described here
https://en.m.wikipedia.org/wiki/Apache_JServ_Protocol

Then try to replicate  OGNL injection vulnerability.

It should be fun !



On Fri, 14 Aug 2020, 07:38 Rene Gielen, <rgielen@apache.org> wrote:

> In Java and Java EE, typical vectors for RCEs, injecting code to be
> executed, include expressions where expression languages are supprted
> (JUEL, SpEL or, in the case of Struts 2, OGNL) or serialization attacks.
>
> Once the code is injected, it operates with the OS rights of the running
> user (e.g. UID of Tomcat process) within the given limit of the JVM (is
> the JVM security sandbox enabled or not? what is accesible on your
> classloader?). Additional protections may apply, such as Struts adding
> preventions for accessig certain classes or packages when OGNL
> expressions are evaluated.
>
> This has happended A LOT in the last 20 years, not only with Struts.
>
> Am 14.08.20 um 02:07 schrieb Zahid Rahman:
> > Maybe I misunderstand , there has always existed an apache solution to
> > prevent anyone executing code on the application server.
> > Its like 20 years old solution.
> >
> > See www.backbutton.co.uk for more details.
> > https://backbutton.co.uk/
> >
> >
> >
> >
> > On Thu, 13 Aug 2020, 11:18 Rene Gielen, <rgielen@apache.org> wrote:
> >
> >> Two new Struts Security Bulletins have been issued for Struts 2 by the
> >> Apache Struts Security Team: [1]
> >>
> >> S2-059 - Forced double OGNL evaluation, when evaluated on raw user input
> >> in tag attributes, may lead to remote code execution (CVE-2019-0230) [2]
> >>
> >> S2-060 - Access permission override causing a Denial of Service when
> >> performing a file upload (CVE-2019-0233) [3]
> >>
> >> Both issues affect Apache Struts in the version range 2.0.0 - 2.5.20.
> >> The current version 2.5.22, which was released in November 2019, is not
> >> affected.
> >>
> >> CVE-2019-0230 has been reported by Matthias Kaiser, Apple Information
> >> Security. By design, Struts 2 allows developers to utilize forced double
> >> evaluation for certain tag attributes. When used with unvalidated, user
> >> modifiable input, malicious OGNL expressions may be injected. In an
> >> ongoing effort, the Struts framework includes mitigations for limiting
> >> the impact of injected expressions, but Struts before 2.5.22 left an
> >> attack vector open which is addressed by this report. [2]
> >>
> >> However, we continue to urge developers building upon Struts 2 to not
> >> use %{...} syntax referencing unvalidated user modifiable input in tag
> >> attributes, since this is the ultimate fix for this class of
> >> vulnerabilities. [4]
> >>
> >> CVE-2019-0233 has been reported by Takeshi Terada of Mitsui Bussan
> >> Secure Directions, Inc. In Struts before 2.5.22, when a file upload is
> >> performed to an Action that exposes the file with a getter, an attacker
> >> may manipulate the request such that the working copy of the uploaded
> >> file or even the container temporary upload directory may be set to
> >> read-only access. As a result, subsequent actions on the file or file
> >> uploads in general will fail with an error. [3]
> >>
> >> Both issues are already fixed in Apache Struts 2.5.22, which was
> >> released in November 2019.
> >>
> >> We strongly recommend all users to upgrade to Struts 2.5.22, if this has
> >> not been done already. [5][6]
> >>
> >> The Apache Struts Security Team would like to thank the reporters for
> >> their efforts and their practice of responsible disclosure, as well as
> >> their help while investigating the report and coordinating public
> >> disclosure.
> >>
> >> [1] https://struts.apache.org/announce.html#a20200813
> >> [2] https://cwiki.apache.org/confluence/display/ww/s2-059
> >> [3] https://cwiki.apache.org/confluence/display/ww/s2-060
> >> [4]
> >>
> >>
> https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions
> >> [5] https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22
> >> [6] https://struts.apache.org/download.cgi#struts-ga
> >>
> >> --
> >> René Gielen
> >> http://twitter.com/rgielen
> >>
> >>
> >
>
> --
> René Gielen
> http://twitter.com/rgielen
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message