You are here
Apache Struts Vulnerabilities S2-028, S2-029, S2-030
Submitted on 19. April 2016 - 11:26 by rischi.
Last update on 3. May 2016 - 9:56.
Last update on 3. May 2016 - 9:56.
IDs:
S2-028, S2-029, S2-030, CVE-2016-4003, CVE-2016-0785, CVE-2016-2162
Keywords:
Struts2, OGNL
Description:
Three Apache Struts2 vulnerabilities have been found which may allow remote command execution and XSS [1].
- S2-028 Possible XSS vulnerability in pages not using UTF-8 was fixed.
- S2-029 Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
- S2-030 I18NInterceptor narrows selected locale to those available in JVM to reduce possibility of another XSS vulnerability.
Airlock WAF protects against known exploits of S2-028 and S2-030. Double OGNL evaluation (S2-029) can be prevented with a virtual patch on Airlock WAF by configuring a custom Deny Rule with the parameter value pattern:
%{
Case-sensitive = OFF
Invert = OFF
Resolution:
If you are using a vulnerable Apache Struts2 version on a back-end application we strongly recommend to update Struts2 to version 2.3.28 or higher [1]. If you can not update immediately as well as exclude the possibility of an exploitation we recommend to configure at least the described virtual patch until Struts2 is updated.
Component:
Airlock
Airlock Vulnerability Status:
Does not affect Airlock
Back-end Vulnerability Status:
Back-ends may be vulnerable, see resolution