...
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Affects of a cross-site scripting vulnerability. |
Maximum security rating | MediumImportant |
Recommendation | Ugrade runtime JRE to a recent major version, preferably 1.8. Alternatively upgrade to Struts 2.3.25 |
Affected Software | Struts 2.0.0 - Struts Struts 2.3.24.1 |
Reporter | WhiteHat Security (whitehatsec.com) |
CVE Identifier | - |
Problem
ValueStack defines special top
object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings
Solution
Applying better regex which includes pattern to exclude request parameters trying to use top
object. We recommend upgrading to Struts 2.3.24.1.
Backward compatibility
If an application is using parameter named top
to access action's properties, it won't be set on the action. In other case no backward compatibility problems are expected.
Workaround
Applying the below patterns will solve the problem as well:
...
When using a single byte page encoding such as ISO-8895-1, an attacker might submit a non-spec URL-encoded parameter value including multi-byte characters.
Struts 2 used the the standard JRE URLDecoder to decode parameter values. Especially JRE 1.5's URLDecoder implementation seems to be broken to the point that this non-spec encoding isn't rejected / filtered. In later JREs the issue was fixed, best known solution is found in JRE 1.8.
Solution
Upgrade runtime JRE/JDK, preferably to the most recent 1.8 version.
Alternatively upgrade to Struts 2.3.25, which includes and uses a safe URLDecoder implementation from Apache Tomcat
Backward compatibility
No issues expected when upgrading to Struts 2.3.25
Workaround
Use UTF-8 for page and parameter encoding.
Further Reference
Jira | ||||||
---|---|---|---|---|---|---|
|