Home > Security Bulletins > S2-008 |
Multiple critical vulnerabilities in Struts2
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | Remote command execution and arbitrary file overwrite, Strict DMI does not work correctly |
Maximum security rating | Critical |
Recommendation | Developers should immediately upgrade to Struts 2.3.1.1 or read the following solution instructions carefully for a configuration change to mitigate the vulnerability |
Affected Software | Struts 2.1.0 - Struts 2.3.1 |
Original JIRA Ticket | |
Reporter | Johannes Dahse, SEC Consult Vulnerability Lab and Bruce Phillips (blog post) |
CVE Identifier |
|
Original Description | Reported directly to [email protected] and Struts 2 Security Vulnerability - Dynamic Method Invocation |
To prevent attackers calling arbitrary methods within parameters the flag xwork.MethodAccessor.denyMethodExecution
is set to true
and the SecurityMemberAccess
field allowStaticMethodAccess
is set to false
by default. Also, to prevent access to context variables an improved character whitelist for parameter names is applied in the ParameterInterceptor
since Struts 2.2.1.1:
acceptedParamNames = "[a-zA-Z0-9\.][()_']+";
Under certain circumstances these restrictions can be bypassed to execute malicious Java code.
ExceptionDelegator
)CookieInterceptor
)CookieInterceptor
. When Struts is configured to handle cookie names, an attacker can execute arbitrary system commands with static method access to Java functions. Therefore the flag allowStaticMethodAccess
can be set to true within the request.ParameterInterceptor
)allowStaticMethodAccess
within parameters is prohibited since Struts 2.2.3.1 an attacker can still access public constructors with only one parameter of type String to create new Java objects and access their setters with only one parameter of type String. This can be abused in example to create and overwrite arbitrary files. To inject forbidden characters into a filename an uninitialized string property can be used.DebuggingInterceptor
)DebuggingInterceptor
are prone to remote command execution as well. While applications should never run in developer mode during production, developers should be aware that doing so not only has performance issues (as documented) but also a critical security impact.Update to Struts 2.3.1 and apply a stronger acceptedParamNames
filter to the ParameterInterceptor
and CookieInterceptor
:
acceptedParamNames = "[a-zA-Z0-9\.][()_']+";