Summary
Multiple critical vulnerabilities in Struts2
Who should read this | All Struts 2 developers |
|---|---|
Impact of vulnerability | Remote command execution and arbitrary file overwrite, Strict DMI does not work correctly |
Maximum security rating | Critical |
Recommendation | Developers should immediately upgrade to at least Struts 2.3.18 or read the following solution instructions carefully for a configuration change to mitigate the vulnerability |
Affected Software | Struts 2.0.0 - Struts 2.3.17 |
Original JIRA Ticket | |
Reporter | Johannes Dahse, SEC Consult Vulnerability Lab and Bruce Phillips (blog post) |
CVE Identifier | CVE-2012-0391, CVE-2012-0392, CVE-2012-0393, CVE-2012-0394 |
Original Description | Reported directly to security@struts.a.o and Struts 2 Security Vulnerability - Dynamic Method Invocation |
Problem
To prevent attackers calling arbitrary methods within parameters the flag xwork.MethodAccessor.denyMethodExecution is set to true and the SecurityMemberAccess field allowStaticMethodAccess is set to false by default. Also, to prevent access to context variables an improved character whitelist for parameter names is applied in the ParameterInterceptor since Struts 2.2.1.1:
acceptedParamNames = "[a-zA-Z0-9\.][()_']+";
Under certain circumstances these restrictions can be bypassed to execute malicious Java code.
- Remote command execution in Struts <= 2.2.3 (
ExceptionDelegator)
When an exception occurs while applying parameter values to properties, the value is evaluated as an OGNL expression. For example, this occurs when setting a string value to an integer property. Since the values are not filtered an attacker can abuse the power of the OGNL language to execute arbitrary Java code leading to remote command execution. This issue has been reported (https://issues.apache.org/jira/browse/WW-3668) and was fixed in Struts 2.2.3.1. However the ability to execute arbitrary Java code has been overlooked. - Remote command execution in Struts <= 2.3.1 (
CookieInterceptor)
The character whitelist for parameter names is not applied to theCookieInterceptor. When Struts is configured to handle cookie names, an attacker can execute arbitrary system commands with static method access to Java functions. Therefore the flagallowStaticMethodAccesscan be set to true within the request. - Arbitrary File Overwrite in Struts <= 2.3.1 (
ParameterInterceptor)
While accessing the flagallowStaticMethodAccesswithin parameters is prohibited since Struts 2.2.3.1 an attacker can still access public constructors with only one parameter of type String to create new Java objects and access their setters with only one parameter of type String. This can be abused in example to create and overwrite arbitrary files. To inject forbidden characters into a filename an uninitialized string property can be used. - Remote command execution in Struts <= 2.3.17 (
DebuggingInterceptor)
While not being a security vulnerability itself, please note that applications running in developer mode and using theDebuggingInterceptorare prone to remote command execution as well. While applications should never run in developer mode during production, developers should be aware that doing so not only has performance issues (as documented) but also a critical security impact.
Solution
It is strongly recommended to upgrade to Struts 2.3.18 or higher, which contains the corrected classes.
Update to Struts 2.3.18 and apply a stronger acceptedParamNames filter to the ParameterInterceptor and CookieInterceptor:
acceptedParamNames = "[a-zA-Z0-9\.][()_']+";