You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2017/03/10 18:59:47 UTC
svn commit: r1008101 - /websites/production/struts/content/docs/s2-045.html
Author: lukaszlenart
Date: Fri Mar 10 18:59:47 2017
New Revision: 1008101
Log:
Updates production
Modified:
websites/production/struts/content/docs/s2-045.html
Modified: websites/production/struts/content/docs/s2-045.html
==============================================================================
--- websites/production/struts/content/docs/s2-045.html (original)
+++ websites/production/struts/content/docs/s2-045.html Fri Mar 10 18:59:47 2017
@@ -34,6 +34,20 @@ under the License.
color: #666;
}
</style>
+ <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+ <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+ <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushCss.js' type='text/javascript'></script>
+ <script type="text/javascript">
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+ </script>
<script type="text/javascript" language="javascript">
var hide = null;
var show = null;
@@ -125,7 +139,35 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2 id="S2-045-Summary">Summary</h2>Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible RCE when performing file upload <span>based on Jakarta Multipart parser</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect" href="version-notes-2332.
html">Struts 2.3.32</a> or <a shape="rect" href="version-notes-25101.html">Struts 2.5.10.1</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.5 - Struts 2.3.31, Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.10</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Nike Zheng <nike dot zheng at dbappsecurity dot com dot cn></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2017-5638</p></td></tr></tbody></table></div><h2 id="S2-045-Problem">Problem</h2><p>It is possible to perform a RCE attack with a malicious <code>Content-Type</code> value. If the <code>Content-Type</code> value isn't valid an exception is thrown which is then used to display an error me
ssage to a user.</p><h2 id="S2-045-Solution">Solution</h2><p>If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1. You can also switch to a different <a shape="rect" href="https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries">implementation</a> of the Multipart parser.</p><h2 id="S2-045-Backwardcompatibility">Backward compatibility</h2><p>No backward incompatibility issues are expected.</p><h2 id="S2-045-Workaround">Workaround</h2><p>Implement a Servlet filter which will validate <code>Content-Type</code> and throw away request with suspicious values not matching <code>multipart/form-data.</code></p></div>
+ <div id="ConfluenceContent"><h2 id="S2-045-Summary">Summary</h2>Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible RCE when performing file upload <span>based on Jakarta Multipart parser</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect" href="version-notes-2332.
html">Struts 2.3.32</a> or <a shape="rect" href="version-notes-25101.html">Struts 2.5.10.1</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.5 - Struts 2.3.31, Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.10</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Nike Zheng <nike dot zheng at dbappsecurity dot com dot cn></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2017-5638</p></td></tr></tbody></table></div><h2 id="S2-045-Problem">Problem</h2><p>It is possible to perform a RCE attack with a malicious <code>Content-Type</code> value. If the <code>Content-Type</code> value isn't valid an exception is thrown which is then used to display an error me
ssage to a user.</p><h2 id="S2-045-Solution">Solution</h2><p>If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1. You can also switch to a different <a shape="rect" href="https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries">implementation</a> of the Multipart parser.</p><h2 id="S2-045-Backwardcompatibility">Backward compatibility</h2><p>No backward incompatibility issues are expected.</p><h2 id="S2-045-Workaround">Workaround</h2><p>Implement a Servlet filter which will validate <code>Content-Type</code> and throw away request with suspicious values not matching <code>multipart/form-data</code>.</p><p>Other option is to remove the <a shape="rect" href="file-upload-interceptor.html">File Upload Interceptor</a> from the stack, just define your own custom stack and set it as a default - please read <a shape="rect" href="how-do-we-configure-an-interceptor-to-be-used-with-
every-action.html">How do we configure an Interceptor to be used with every Action</a>. This will work only for Struts 2.5.8 - 2.5.10.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><interceptors>
+ <interceptor-stack name="defaultWithoutUpload">
+ <interceptor-ref name="exception"/>
+ <interceptor-ref name="alias"/>
+ <interceptor-ref name="servletConfig"/>
+ <interceptor-ref name="i18n"/>
+ <interceptor-ref name="prepare"/>
+ <interceptor-ref name="chain"/>
+ <interceptor-ref name="scopedModelDriven"/>
+ <interceptor-ref name="modelDriven"/>
+ <interceptor-ref name="checkbox"/>
+ <interceptor-ref name="datetime"/>
+ <interceptor-ref name="multiselect"/>
+ <interceptor-ref name="staticParams"/>
+ <interceptor-ref name="actionMappingParams"/>
+ <interceptor-ref name="params"/>
+ <interceptor-ref name="conversionError"/>
+ <interceptor-ref name="validation">
+ <param name="excludeMethods">input,back,cancel,browse</param>
+ </interceptor-ref>
+ <interceptor-ref name="workflow">
+ <param name="excludeMethods">input,back,cancel,browse</param>
+ </interceptor-ref>
+ <interceptor-ref name="debugging"/>
+ </interceptor-stack>
+</interceptors>
+<default-interceptor-ref name="defaultWithoutUpload"/></pre>
+</div></div></div>
</div>