Versions Compared

Old Version 1

changes.mady.by.user Lukasz Lenart

Saved on

compared with

New Version 2

changes.mady.by.user Lukasz Lenart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt

A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals

Who should read this

All Struts 2 developers and users

Impact of vulnerability

A RCE attack is possible when developer is using wrong construction in Freemarker tags

Maximum security rating

CriticalModerate

Recommendation

Upgrade to Struts 2.5.12 or Struts 2.3.34

Affected Software

Struts 2.0.1 .2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.10

Reporter

Lupin <lupin1314 at gmail dot com> - jd.com security team

CVE Identifier

 

Problem

The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.

Solution

When using expression literals or forcing expression in Freemarker tags (see example below) and using request values can lead to RCE attack.

Code Block
html
html
<@s.hidden name="redirectUri" value=redirectUri />
<@s.hidden name="redirectUri" value="${redirectUri}" />

In both cases a writable property is used in the value attribute and in both cases is threatened as an expression by Freemarker

Solution

Do not use such constructions in your code or use read-only properties to initialise the value attribute (property with getter only). Upgrade Upgrade to Apache Struts version 2.5.13 12 or 2.3.34.

Backward compatibility

It is possible that some REST actions stop working because of applied default restrictions on available classes. In such case please investigate the new interfaces that was introduced to allow define class restrictions per action, those interfaces are:

  • org.apache.struts2.rest.handler.AllowedClasses
  • org.apache.struts2.rest.handler.AllowedClassNames
  • org.apache.struts2.rest.handler.XStreamPermissionProvider

Workaround

The best option is to remove the Struts REST plugin when not used. Alternatively you can only upgrade the plugin by dropping in all the required JARs (plugin plus all dependencies).  Another options is to limit th plugin to server normal pages and JSONs only:

Code Block
<constant name="struts.action.extension" value="xhtml,,json" />

No backward incompatibility issues are expected.

Workaround

Inspect your code and remove vulnerable constructions.