You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2017/03/10 18:59:47 UTC
svn commit: r1008101 - /websites/production/struts/content/docs/s2-045.html

Author: lukaszlenart
Date: Fri Mar 10 18:59:47 2017
New Revision: 1008101

Log:
Updates production

Modified:
    websites/production/struts/content/docs/s2-045.html

Modified: websites/production/struts/content/docs/s2-045.html
==============================================================================
--- websites/production/struts/content/docs/s2-045.html (original)
+++ websites/production/struts/content/docs/s2-045.html Fri Mar 10 18:59:47 2017
@@ -34,6 +34,20 @@ under the License.
             color:                 #666;
         }
     </style>
+    <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+    <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+    <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushCss.js' type='text/javascript'></script>
+    <script type="text/javascript">
+        SyntaxHighlighter.defaults['toolbar'] = false;
+        SyntaxHighlighter.all();
+    </script>
     <script type="text/javascript" language="javascript">
         var hide = null;
         var show = null;
@@ -125,7 +139,35 @@ under the License.
 
     <div class="pagecontent">
         <div class="wiki-content">
-            <div id="ConfluenceContent"><h2 id="S2-045-Summary">Summary</h2>Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible RCE when performing file upload <span>based on Jakarta Multipart parser</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect" href="version-notes-2332.
 html">Struts 2.3.32</a> or <a shape="rect" href="version-notes-25101.html">Struts 2.5.10.1</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.5 - Struts 2.3.31, Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.10</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Nike Zheng &lt;nike dot zheng at dbappsecurity dot com dot cn&gt;</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2017-5638</p></td></tr></tbody></table></div><h2 id="S2-045-Problem">Problem</h2><p>It is possible to perform a RCE attack with a malicious&#160;<code>Content-Type</code>&#160;value. If the <code>Content-Type</code>&#160;value isn't valid an exception is thrown which is then used to display an error me
 ssage to a user.</p><h2 id="S2-045-Solution">Solution</h2><p>If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1. You can also switch to a different <a shape="rect" href="https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries">implementation</a> of the Multipart parser.</p><h2 id="S2-045-Backwardcompatibility">Backward compatibility</h2><p>No backward incompatibility issues are expected.</p><h2 id="S2-045-Workaround">Workaround</h2><p>Implement a Servlet filter which will validate <code>Content-Type</code>&#160;and throw away request with suspicious values not matching&#160;<code>multipart/form-data.</code></p></div>
+            <div id="ConfluenceContent"><h2 id="S2-045-Summary">Summary</h2>Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible RCE when performing file upload <span>based on Jakarta Multipart parser</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect" href="version-notes-2332.
 html">Struts 2.3.32</a> or <a shape="rect" href="version-notes-25101.html">Struts 2.5.10.1</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.5 - Struts 2.3.31, Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.10</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Nike Zheng &lt;nike dot zheng at dbappsecurity dot com dot cn&gt;</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2017-5638</p></td></tr></tbody></table></div><h2 id="S2-045-Problem">Problem</h2><p>It is possible to perform a RCE attack with a malicious&#160;<code>Content-Type</code>&#160;value. If the <code>Content-Type</code>&#160;value isn't valid an exception is thrown which is then used to display an error me
 ssage to a user.</p><h2 id="S2-045-Solution">Solution</h2><p>If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1. You can also switch to a different <a shape="rect" href="https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries">implementation</a> of the Multipart parser.</p><h2 id="S2-045-Backwardcompatibility">Backward compatibility</h2><p>No backward incompatibility issues are expected.</p><h2 id="S2-045-Workaround">Workaround</h2><p>Implement a Servlet filter which will validate <code>Content-Type</code>&#160;and throw away request with suspicious values not matching&#160;<code>multipart/form-data</code>.</p><p>Other option is to remove the&#160;<a shape="rect" href="file-upload-interceptor.html">File Upload Interceptor</a> from the stack, just define your own custom stack and set it as a default - please read&#160;<a shape="rect" href="how-do-we-configure-an-interceptor-to-be-used-with-
 every-action.html">How do we configure an Interceptor to be used with every Action</a>. This will work only for Struts 2.5.8 - 2.5.10.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;interceptors&gt;
+    &lt;interceptor-stack name="defaultWithoutUpload"&gt;
+        &lt;interceptor-ref name="exception"/&gt;
+        &lt;interceptor-ref name="alias"/&gt;
+        &lt;interceptor-ref name="servletConfig"/&gt;
+        &lt;interceptor-ref name="i18n"/&gt;
+        &lt;interceptor-ref name="prepare"/&gt;
+        &lt;interceptor-ref name="chain"/&gt;
+        &lt;interceptor-ref name="scopedModelDriven"/&gt;
+        &lt;interceptor-ref name="modelDriven"/&gt;
+        &lt;interceptor-ref name="checkbox"/&gt;
+        &lt;interceptor-ref name="datetime"/&gt;
+        &lt;interceptor-ref name="multiselect"/&gt;
+        &lt;interceptor-ref name="staticParams"/&gt;
+        &lt;interceptor-ref name="actionMappingParams"/&gt;
+        &lt;interceptor-ref name="params"/&gt;
+        &lt;interceptor-ref name="conversionError"/&gt;
+        &lt;interceptor-ref name="validation"&gt;
+            &lt;param name="excludeMethods"&gt;input,back,cancel,browse&lt;/param&gt;
+        &lt;/interceptor-ref&gt;
+        &lt;interceptor-ref name="workflow"&gt;
+            &lt;param name="excludeMethods"&gt;input,back,cancel,browse&lt;/param&gt;
+        &lt;/interceptor-ref&gt;
+        &lt;interceptor-ref name="debugging"/&gt;
+    &lt;/interceptor-stack&gt;
+&lt;/interceptors&gt;
+&lt;default-interceptor-ref name="defaultWithoutUpload"/&gt;</pre>
+</div></div></div>
         </div>