struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zahid Rahman <zahidr1...@gmail.com>
Subject Re: [ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233 (DoS) security issues
Date Fri, 14 Aug 2020 00:09:50 GMT
Maybe I misunderstand , there has always existed an apache solution to
prevent anyone executing code on the application server.
Its like 20 years old solution.

See www.backbutton.co.uk for more details.
https://backbutton.co.uk/

Backbutton.co.uk
¯\_(ツ)_/¯
♡۶Java♡۶RMI ♡۶


On Thu, 13 Aug 2020 at 11:18, Rene Gielen <rgielen@apache.org> wrote:

> Two new Struts Security Bulletins have been issued for Struts 2 by the
> Apache Struts Security Team: [1]
>
> S2-059 - Forced double OGNL evaluation, when evaluated on raw user input
> in tag attributes, may lead to remote code execution (CVE-2019-0230) [2]
>
> S2-060 - Access permission override causing a Denial of Service when
> performing a file upload (CVE-2019-0233) [3]
>
> Both issues affect Apache Struts in the version range 2.0.0 - 2.5.20.
> The current version 2.5.22, which was released in November 2019, is not
> affected.
>
> CVE-2019-0230 has been reported by Matthias Kaiser, Apple Information
> Security. By design, Struts 2 allows developers to utilize forced double
> evaluation for certain tag attributes. When used with unvalidated, user
> modifiable input, malicious OGNL expressions may be injected. In an
> ongoing effort, the Struts framework includes mitigations for limiting
> the impact of injected expressions, but Struts before 2.5.22 left an
> attack vector open which is addressed by this report. [2]
>
> However, we continue to urge developers building upon Struts 2 to not
> use %{...} syntax referencing unvalidated user modifiable input in tag
> attributes, since this is the ultimate fix for this class of
> vulnerabilities. [4]
>
> CVE-2019-0233 has been reported by Takeshi Terada of Mitsui Bussan
> Secure Directions, Inc. In Struts before 2.5.22, when a file upload is
> performed to an Action that exposes the file with a getter, an attacker
> may manipulate the request such that the working copy of the uploaded
> file or even the container temporary upload directory may be set to
> read-only access. As a result, subsequent actions on the file or file
> uploads in general will fail with an error. [3]
>
> Both issues are already fixed in Apache Struts 2.5.22, which was
> released in November 2019.
>
> We strongly recommend all users to upgrade to Struts 2.5.22, if this has
> not been done already. [5][6]
>
> The Apache Struts Security Team would like to thank the reporters for
> their efforts and their practice of responsible disclosure, as well as
> their help while investigating the report and coordinating public
> disclosure.
>
> [1] https://struts.apache.org/announce.html#a20200813
> [2] https://cwiki.apache.org/confluence/display/ww/s2-059
> [3] https://cwiki.apache.org/confluence/display/ww/s2-060
> [4]
>
> https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions
> [5] https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22
> [6] https://struts.apache.org/download.cgi#struts-ga
>
> --
> René Gielen
> http://twitter.com/rgielen
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message