...
Excerpt |
---|
Remote Code Execution can be performed when using REST Plugin with |
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible Remote Code Execution |
Maximum security rating | High |
Recommendation | Disable Dynamic Method Invocation if possible. Alternatively upgrade to Struts 2.3.20.3, Struts 2.3.24.3 or Upgrade to Struts 2.3.2829.1. |
Affected Software | Struts 2.3.20 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3).1 |
Reporter | Alvaro Munoz alvaro dot munoz at hpe Chao Jack jc1990999 at yahoo dot com |
CVE Identifier | CVE-2016-30874438 |
Problem
It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled when using the REST Plugin.
Solution
Disable Dynamic Method Invocation when possible or upgrade Upgrade to Apache Struts versions version 2.3.20.3, 2.3.24.3 or 2.3.28.1.29.
Backward compatibility
No Some backward incompatibility issues are expected when upgrading to Struts 2.3.20.3, 2.3.24.3 and 2.3.28.1
Workaround
28 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assigments.
Workaround
Not possible as this fix requires changes in OGNL and how Struts uses OGNL in certain aspectsDisable Dynamic Method Invocation or implement your own version of RestActionMapper
.