You are here
Apache Struts2 Vulnerabilities S2-031, S2-032
Submitted on 3. May 2016 - 10:17 by rischi.
Last update on 4. May 2016 - 10:42.
Last update on 4. May 2016 - 10:42.
IDs:
S2-031, S2-032, CVE-2016-3081, CVE-2016-3082
Keywords:
Struts2
Description:
Two Apache Struts2 vulnerabilities have been found which may allow remote code execution [1,2].
- S2-031 Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled [1]
- S2-032 XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code [2]
Affected versions:
- S2-031: Struts 2.0.0 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3)
- S2-032: Struts 2.3.20 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3)
Resolution:
If you are using a vulnerable Apache Struts2 version on a back-end application we strongly recommend to update Struts2 to version 2.3.28.1 or higher.
Alternatively, S2-032 can be prevented by disabling Dynamic Method Invocation or by configuring a custom Deny Rule on Airlock WAF with the parameter value pattern:
method:
Case-sensitive = OFF
Invert = OFF
S2-031 can be prevented by implementing your own XSLTResult based on code of the versions Struts 2.3.20.3, Struts 2.3.24.3 or Struts 2.3.28.1.
Component:
Airlock
Airlock Vulnerability Status:
Does not affect Airlock
Back-end Vulnerability Status:
Back-ends may be vulnerable, see resolution