Struts2/OGNL: Remote command execution

Submitted on 20. June 2013 - 14:05 by rischi.
Last update on 14. August 2013 - 15:40.

IDs:

S2-014, S2-015, S2-016, CB-K13/0388, CB-K13/0484, CVE-2013-1966, CVE-2013-2135, CVE-2013-2135, CVE-2013-2115, CVE-2013-2251

Keywords:

Struts2, OGNL

Description:

Three Apache Struts2 vulnerabilities have been found which may allow remote command execution by injecting OGNL expressions.

The affected Struts2 versions are:

For vulnerability S2-014 [1] : 2.0.0 - 2.3.14.1
For vulnerability S2-015 [2] : 2.0.0 - 2.3.14.2
For vulnerability S2-016 [3] : 2.0.0 - 2.3.15

Airlock is not affected because Apache Struts2 is not installed/used in Airlock.

Resolution:

If you are using Apache Struts2 on a back-end system we strongly recommend to update Struts2 to version 2.3.15.1 or higher. If you are not able to update Struts2 you can add the following deny rules on Airlock and activate the rules for all mappings connected to an affected back-end group (i.e where a vulnerable Struts2 version is active).

Deny Rule for Issue S2-014 and S2-015

Use the following regular expression for the parameter *value* deny rule to patch issue S2-014 and S2-015:

Rule name	Apache Struts2 OGNL injection param value
Deny rule type	Parameter Value
Regular expression name	Double evaluation (S2-014 / S2-015)
Pattern	\$\{[[:space:][:cntrl:]]*[%#]

Screenshot of the deny rule in Airlock 4.2.6:
Struts2 deny rule to fix S02-014 and S02-015

Deny Rule for Issue S2-016

Use the following regular expression for the parameter *name* deny rule to patch issue S2-016:

Rule name	Apache Struts2 OGNL injection param name
Deny rule type	Parameter Name
Regular expression name	DefaultActionMapper sanitization (S2-016)
Pattern	(action\|redirect\|redirectAction):[[:space:][:cntrl:]]*%\{

Screenshot of the deny rule in Airlock 4.2.6: Struts2 deny rule to fix issue S02-016