Apache Struts 2.x <= 2.5.20 Multiple Vulnerabilities

critical Nessus Plugin ID 139607

Synopsis

Apache Struts installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Apache Struts installed on the remote host is 2.x prior or equal to 2.5.20. It is, therefore, affected by multiple vulnerabilities:

- The Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE). The problem only applies when forcing OGNL evaluation inside a Struts tag attribute, when the expression to evaluate references raw, unvalidated input that an attacker is able to directly modify by crafting a corresponding request.Example:List available EmployeesIf an attacker is able to modify the skillName attribute in a request such that a raw OGNL expression gets passed to the skillName property without further validation, the provided OGNL expression contained in the skillName attribute gets evaluated when the tag is rendered as a result of the request.The opportunity for using double evaluation is by design in Struts since 2.0.0 and a useful tool when done right, which most notably means only referencing validated values in the given expression. However, when referencing unvalidated user input in the expression, malicious code can get injected. In an ongoing effort, the Struts framework includes mitigations for limiting the impact of injected expressions, but Struts before 2.5.22 left an attack vector open which is addressed by this report. This issue is similar to: S2-029 and S2-036. (CVE-2019-0230)

- When a file upload is performed to an Action that exposes the file with a getter, an attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container's temp directory to read only, such that subsequent upload actions will fail. In Struts prior to 2.5.22, stack-accessible values (e.g. Action properties) of type java.io.File and java.nio.File as well as other classes from these standard library packages are not properly protected by the framework to deny access to potentially harmful underlying properties. (CVE-2019-0233)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Apache Struts version 2.5.22 or later or apply the workarounds as referenced in in the vendor security bulletins.

See Also

https://cwiki.apache.org/confluence/display/WW/S2-059

https://cwiki.apache.org/confluence/display/WW/S2-060

Plugin Details

Severity: Critical

ID: 139607

File Name: struts_2_5_22.nasl

Version: 1.8

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 8/14/2020

Updated: 12/6/2022

Configuration: Enable thorough checks

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-0230

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:struts

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/19/2019

Vulnerability Publication Date: 8/11/2020

Exploitable With

Metasploit (Apache Struts 2 Forced Multi OGNL Evaluation)

Reference Information

CVE: CVE-2019-0230, CVE-2019-0233