You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announcements@struts.apache.org by Rene Gielen <rg...@apache.org> on 2020/08/13 10:17:50 UTC
[ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and
CVE-2019-0233 (DoS) security issues
Two new Struts Security Bulletins have been issued for Struts 2 by the
Apache Struts Security Team: [1]
S2-059 - Forced double OGNL evaluation, when evaluated on raw user input
in tag attributes, may lead to remote code execution (CVE-2019-0230) [2]
S2-060 - Access permission override causing a Denial of Service when
performing a file upload (CVE-2019-0233) [3]
Both issues affect Apache Struts in the version range 2.0.0 - 2.5.20.
The current version 2.5.22, which was released in November 2019, is not
affected.
CVE-2019-0230 has been reported by Matthias Kaiser, Apple Information
Security. By design, Struts 2 allows developers to utilize forced double
evaluation for certain tag attributes. When used with unvalidated, user
modifiable input, malicious OGNL expressions may be injected. In an
ongoing effort, the Struts framework includes mitigations for limiting
the impact of injected expressions, but Struts before 2.5.22 left an
attack vector open which is addressed by this report. [2]
However, we continue to urge developers building upon Struts 2 to not
use %{...} syntax referencing unvalidated user modifiable input in tag
attributes, since this is the ultimate fix for this class of
vulnerabilities. [4]
CVE-2019-0233 has been reported by Takeshi Terada of Mitsui Bussan
Secure Directions, Inc. In Struts before 2.5.22, when a file upload is
performed to an Action that exposes the file with a getter, an attacker
may manipulate the request such that the working copy of the uploaded
file or even the container temporary upload directory may be set to
read-only access. As a result, subsequent actions on the file or file
uploads in general will fail with an error. [3]
Both issues are already fixed in Apache Struts 2.5.22, which was
released in November 2019.
We strongly recommend all users to upgrade to Struts 2.5.22, if this has
not been done already. [5][6]
The Apache Struts Security Team would like to thank the reporters for
their efforts and their practice of responsible disclosure, as well as
their help while investigating the report and coordinating public
disclosure.
[1] https://struts.apache.org/announce.html#a20200813
[2] https://cwiki.apache.org/confluence/display/ww/s2-059
[3] https://cwiki.apache.org/confluence/display/ww/s2-060
[4]
https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions
[5] https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22
[6] https://struts.apache.org/download.cgi#struts-ga
--
René Gielen
http://twitter.com/rgielen
Re: [ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and
CVE-2019-0233 (DoS) security issues
Posted by Zahid Rahman <za...@gmail.com>.
Maybe I misunderstand , there has always existed an apache solution to
prevent anyone executing code on the application server.
Its like 20 years old solution.
See www.backbutton.co.uk for more details.
https://backbutton.co.uk/
Backbutton.co.uk
¯\_(ツ)_/¯
♡۶Java♡۶RMI ♡۶
On Thu, 13 Aug 2020 at 11:18, Rene Gielen <rg...@apache.org> wrote:
> Two new Struts Security Bulletins have been issued for Struts 2 by the
> Apache Struts Security Team: [1]
>
> S2-059 - Forced double OGNL evaluation, when evaluated on raw user input
> in tag attributes, may lead to remote code execution (CVE-2019-0230) [2]
>
> S2-060 - Access permission override causing a Denial of Service when
> performing a file upload (CVE-2019-0233) [3]
>
> Both issues affect Apache Struts in the version range 2.0.0 - 2.5.20.
> The current version 2.5.22, which was released in November 2019, is not
> affected.
>
> CVE-2019-0230 has been reported by Matthias Kaiser, Apple Information
> Security. By design, Struts 2 allows developers to utilize forced double
> evaluation for certain tag attributes. When used with unvalidated, user
> modifiable input, malicious OGNL expressions may be injected. In an
> ongoing effort, the Struts framework includes mitigations for limiting
> the impact of injected expressions, but Struts before 2.5.22 left an
> attack vector open which is addressed by this report. [2]
>
> However, we continue to urge developers building upon Struts 2 to not
> use %{...} syntax referencing unvalidated user modifiable input in tag
> attributes, since this is the ultimate fix for this class of
> vulnerabilities. [4]
>
> CVE-2019-0233 has been reported by Takeshi Terada of Mitsui Bussan
> Secure Directions, Inc. In Struts before 2.5.22, when a file upload is
> performed to an Action that exposes the file with a getter, an attacker
> may manipulate the request such that the working copy of the uploaded
> file or even the container temporary upload directory may be set to
> read-only access. As a result, subsequent actions on the file or file
> uploads in general will fail with an error. [3]
>
> Both issues are already fixed in Apache Struts 2.5.22, which was
> released in November 2019.
>
> We strongly recommend all users to upgrade to Struts 2.5.22, if this has
> not been done already. [5][6]
>
> The Apache Struts Security Team would like to thank the reporters for
> their efforts and their practice of responsible disclosure, as well as
> their help while investigating the report and coordinating public
> disclosure.
>
> [1] https://struts.apache.org/announce.html#a20200813
> [2] https://cwiki.apache.org/confluence/display/ww/s2-059
> [3] https://cwiki.apache.org/confluence/display/ww/s2-060
> [4]
>
> https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions
> [5] https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22
> [6] https://struts.apache.org/download.cgi#struts-ga
>
> --
> René Gielen
> http://twitter.com/rgielen
>
>
Re: [ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and
CVE-2019-0233 (DoS) security issues
Posted by Zahid Rahman <za...@gmail.com>.
> Definitely a possibility
You doubt yourself.
I'm think it is not a misunderstanding for certain.
On Fri, 14 Aug 2020, 01:42 Dave Newton, <da...@gmail.com> wrote:
> On Thu, Aug 13, 2020 at 20:08 Zahid Rahman <za...@gmail.com> wrote:
>
> > Maybe I misunderstand
>
>
> Definitely a possibility.
>
> --
> em: davelnewton@gmail.com
> mo: 908-380-8699
> tw: @dave_newton <https://twitter.com/dave_newton>
> li: dave-newton <https://www.linkedin.com/in/dave-newton/>
> gh: davelnewton <https://github.com/davelnewton>
> so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
> bl[0]: Bucky Bits <http://buckybits.blogspot.com/>
> bl[1]: Maker's End Blog <https://blog.makersend.com>
> sk: davelnewton_skype
>
Re: [ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and
CVE-2019-0233 (DoS) security issues
Posted by Dave Newton <da...@gmail.com>.
On Thu, Aug 13, 2020 at 20:08 Zahid Rahman <za...@gmail.com> wrote:
> Maybe I misunderstand
Definitely a possibility.
--
em: davelnewton@gmail.com
mo: 908-380-8699
tw: @dave_newton <https://twitter.com/dave_newton>
li: dave-newton <https://www.linkedin.com/in/dave-newton/>
gh: davelnewton <https://github.com/davelnewton>
so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
bl[0]: Bucky Bits <http://buckybits.blogspot.com/>
bl[1]: Maker's End Blog <https://blog.makersend.com>
sk: davelnewton_skype
Re: [ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and
CVE-2019-0233 (DoS) security issues
Posted by Zahid Rahman <za...@gmail.com>.
Thanks ,
I will setup tomcat with apache
As described here
https://en.m.wikipedia.org/wiki/Apache_JServ_Protocol
Then try to replicate OGNL injection vulnerability.
It should be fun !
On Fri, 14 Aug 2020, 07:38 Rene Gielen, <rg...@apache.org> wrote:
> In Java and Java EE, typical vectors for RCEs, injecting code to be
> executed, include expressions where expression languages are supprted
> (JUEL, SpEL or, in the case of Struts 2, OGNL) or serialization attacks.
>
> Once the code is injected, it operates with the OS rights of the running
> user (e.g. UID of Tomcat process) within the given limit of the JVM (is
> the JVM security sandbox enabled or not? what is accesible on your
> classloader?). Additional protections may apply, such as Struts adding
> preventions for accessig certain classes or packages when OGNL
> expressions are evaluated.
>
> This has happended A LOT in the last 20 years, not only with Struts.
>
> Am 14.08.20 um 02:07 schrieb Zahid Rahman:
> > Maybe I misunderstand , there has always existed an apache solution to
> > prevent anyone executing code on the application server.
> > Its like 20 years old solution.
> >
> > See www.backbutton.co.uk for more details.
> > https://backbutton.co.uk/
> >
> >
> >
> >
> > On Thu, 13 Aug 2020, 11:18 Rene Gielen, <rg...@apache.org> wrote:
> >
> >> Two new Struts Security Bulletins have been issued for Struts 2 by the
> >> Apache Struts Security Team: [1]
> >>
> >> S2-059 - Forced double OGNL evaluation, when evaluated on raw user input
> >> in tag attributes, may lead to remote code execution (CVE-2019-0230) [2]
> >>
> >> S2-060 - Access permission override causing a Denial of Service when
> >> performing a file upload (CVE-2019-0233) [3]
> >>
> >> Both issues affect Apache Struts in the version range 2.0.0 - 2.5.20.
> >> The current version 2.5.22, which was released in November 2019, is not
> >> affected.
> >>
> >> CVE-2019-0230 has been reported by Matthias Kaiser, Apple Information
> >> Security. By design, Struts 2 allows developers to utilize forced double
> >> evaluation for certain tag attributes. When used with unvalidated, user
> >> modifiable input, malicious OGNL expressions may be injected. In an
> >> ongoing effort, the Struts framework includes mitigations for limiting
> >> the impact of injected expressions, but Struts before 2.5.22 left an
> >> attack vector open which is addressed by this report. [2]
> >>
> >> However, we continue to urge developers building upon Struts 2 to not
> >> use %{...} syntax referencing unvalidated user modifiable input in tag
> >> attributes, since this is the ultimate fix for this class of
> >> vulnerabilities. [4]
> >>
> >> CVE-2019-0233 has been reported by Takeshi Terada of Mitsui Bussan
> >> Secure Directions, Inc. In Struts before 2.5.22, when a file upload is
> >> performed to an Action that exposes the file with a getter, an attacker
> >> may manipulate the request such that the working copy of the uploaded
> >> file or even the container temporary upload directory may be set to
> >> read-only access. As a result, subsequent actions on the file or file
> >> uploads in general will fail with an error. [3]
> >>
> >> Both issues are already fixed in Apache Struts 2.5.22, which was
> >> released in November 2019.
> >>
> >> We strongly recommend all users to upgrade to Struts 2.5.22, if this has
> >> not been done already. [5][6]
> >>
> >> The Apache Struts Security Team would like to thank the reporters for
> >> their efforts and their practice of responsible disclosure, as well as
> >> their help while investigating the report and coordinating public
> >> disclosure.
> >>
> >> [1] https://struts.apache.org/announce.html#a20200813
> >> [2] https://cwiki.apache.org/confluence/display/ww/s2-059
> >> [3] https://cwiki.apache.org/confluence/display/ww/s2-060
> >> [4]
> >>
> >>
> https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions
> >> [5] https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22
> >> [6] https://struts.apache.org/download.cgi#struts-ga
> >>
> >> --
> >> René Gielen
> >> http://twitter.com/rgielen
> >>
> >>
> >
>
> --
> René Gielen
> http://twitter.com/rgielen
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: [ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and
CVE-2019-0233 (DoS) security issues
Posted by Rene Gielen <rg...@apache.org>.
In Java and Java EE, typical vectors for RCEs, injecting code to be
executed, include expressions where expression languages are supprted
(JUEL, SpEL or, in the case of Struts 2, OGNL) or serialization attacks.
Once the code is injected, it operates with the OS rights of the running
user (e.g. UID of Tomcat process) within the given limit of the JVM (is
the JVM security sandbox enabled or not? what is accesible on your
classloader?). Additional protections may apply, such as Struts adding
preventions for accessig certain classes or packages when OGNL
expressions are evaluated.
This has happended A LOT in the last 20 years, not only with Struts.
Am 14.08.20 um 02:07 schrieb Zahid Rahman:
> Maybe I misunderstand , there has always existed an apache solution to
> prevent anyone executing code on the application server.
> Its like 20 years old solution.
>
> See www.backbutton.co.uk for more details.
> https://backbutton.co.uk/
>
>
>
>
> On Thu, 13 Aug 2020, 11:18 Rene Gielen, <rg...@apache.org> wrote:
>
>> Two new Struts Security Bulletins have been issued for Struts 2 by the
>> Apache Struts Security Team: [1]
>>
>> S2-059 - Forced double OGNL evaluation, when evaluated on raw user input
>> in tag attributes, may lead to remote code execution (CVE-2019-0230) [2]
>>
>> S2-060 - Access permission override causing a Denial of Service when
>> performing a file upload (CVE-2019-0233) [3]
>>
>> Both issues affect Apache Struts in the version range 2.0.0 - 2.5.20.
>> The current version 2.5.22, which was released in November 2019, is not
>> affected.
>>
>> CVE-2019-0230 has been reported by Matthias Kaiser, Apple Information
>> Security. By design, Struts 2 allows developers to utilize forced double
>> evaluation for certain tag attributes. When used with unvalidated, user
>> modifiable input, malicious OGNL expressions may be injected. In an
>> ongoing effort, the Struts framework includes mitigations for limiting
>> the impact of injected expressions, but Struts before 2.5.22 left an
>> attack vector open which is addressed by this report. [2]
>>
>> However, we continue to urge developers building upon Struts 2 to not
>> use %{...} syntax referencing unvalidated user modifiable input in tag
>> attributes, since this is the ultimate fix for this class of
>> vulnerabilities. [4]
>>
>> CVE-2019-0233 has been reported by Takeshi Terada of Mitsui Bussan
>> Secure Directions, Inc. In Struts before 2.5.22, when a file upload is
>> performed to an Action that exposes the file with a getter, an attacker
>> may manipulate the request such that the working copy of the uploaded
>> file or even the container temporary upload directory may be set to
>> read-only access. As a result, subsequent actions on the file or file
>> uploads in general will fail with an error. [3]
>>
>> Both issues are already fixed in Apache Struts 2.5.22, which was
>> released in November 2019.
>>
>> We strongly recommend all users to upgrade to Struts 2.5.22, if this has
>> not been done already. [5][6]
>>
>> The Apache Struts Security Team would like to thank the reporters for
>> their efforts and their practice of responsible disclosure, as well as
>> their help while investigating the report and coordinating public
>> disclosure.
>>
>> [1] https://struts.apache.org/announce.html#a20200813
>> [2] https://cwiki.apache.org/confluence/display/ww/s2-059
>> [3] https://cwiki.apache.org/confluence/display/ww/s2-060
>> [4]
>>
>> https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions
>> [5] https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22
>> [6] https://struts.apache.org/download.cgi#struts-ga
>>
>> --
>> René Gielen
>> http://twitter.com/rgielen
>>
>>
>
--
René Gielen
http://twitter.com/rgielen
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and
CVE-2019-0233 (DoS) security issues
Posted by Dave Newton <da...@gmail.com>.
On Thu, Aug 13, 2020 at 20:08 Zahid Rahman <za...@gmail.com> wrote:
> Maybe I misunderstand
Definitely a possibility.
--
em: davelnewton@gmail.com
mo: 908-380-8699
tw: @dave_newton <https://twitter.com/dave_newton>
li: dave-newton <https://www.linkedin.com/in/dave-newton/>
gh: davelnewton <https://github.com/davelnewton>
so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
bl[0]: Bucky Bits <http://buckybits.blogspot.com/>
bl[1]: Maker's End Blog <https://blog.makersend.com>
sk: davelnewton_skype
Re: [ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and
CVE-2019-0233 (DoS) security issues
Posted by Zahid Rahman <za...@gmail.com>.
Maybe I misunderstand , there has always existed an apache solution to
prevent anyone executing code on the application server.
Its like 20 years old solution.
See www.backbutton.co.uk for more details.
https://backbutton.co.uk/
On Thu, 13 Aug 2020, 11:18 Rene Gielen, <rg...@apache.org> wrote:
> Two new Struts Security Bulletins have been issued for Struts 2 by the
> Apache Struts Security Team: [1]
>
> S2-059 - Forced double OGNL evaluation, when evaluated on raw user input
> in tag attributes, may lead to remote code execution (CVE-2019-0230) [2]
>
> S2-060 - Access permission override causing a Denial of Service when
> performing a file upload (CVE-2019-0233) [3]
>
> Both issues affect Apache Struts in the version range 2.0.0 - 2.5.20.
> The current version 2.5.22, which was released in November 2019, is not
> affected.
>
> CVE-2019-0230 has been reported by Matthias Kaiser, Apple Information
> Security. By design, Struts 2 allows developers to utilize forced double
> evaluation for certain tag attributes. When used with unvalidated, user
> modifiable input, malicious OGNL expressions may be injected. In an
> ongoing effort, the Struts framework includes mitigations for limiting
> the impact of injected expressions, but Struts before 2.5.22 left an
> attack vector open which is addressed by this report. [2]
>
> However, we continue to urge developers building upon Struts 2 to not
> use %{...} syntax referencing unvalidated user modifiable input in tag
> attributes, since this is the ultimate fix for this class of
> vulnerabilities. [4]
>
> CVE-2019-0233 has been reported by Takeshi Terada of Mitsui Bussan
> Secure Directions, Inc. In Struts before 2.5.22, when a file upload is
> performed to an Action that exposes the file with a getter, an attacker
> may manipulate the request such that the working copy of the uploaded
> file or even the container temporary upload directory may be set to
> read-only access. As a result, subsequent actions on the file or file
> uploads in general will fail with an error. [3]
>
> Both issues are already fixed in Apache Struts 2.5.22, which was
> released in November 2019.
>
> We strongly recommend all users to upgrade to Struts 2.5.22, if this has
> not been done already. [5][6]
>
> The Apache Struts Security Team would like to thank the reporters for
> their efforts and their practice of responsible disclosure, as well as
> their help while investigating the report and coordinating public
> disclosure.
>
> [1] https://struts.apache.org/announce.html#a20200813
> [2] https://cwiki.apache.org/confluence/display/ww/s2-059
> [3] https://cwiki.apache.org/confluence/display/ww/s2-060
> [4]
>
> https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions
> [5] https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22
> [6] https://struts.apache.org/download.cgi#struts-ga
>
> --
> René Gielen
> http://twitter.com/rgielen
>
>