Full Disclosure mailing list archives
Re: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical)
From: Rene Gielen <rgielen () apache org>
Date: Fri, 25 Apr 2014 20:08:49 +0200
Hi, Am 25.04.14 18:52, schrieb Tim:
So I have to say, I feel like the Struts team is kind of... failing. Here are my gripes: A) I questioned the last bug fix in the thread here [1], where we were all reassured that it was just "ClassLoader manipulation", not RCE. Clearly that's not true.
At this point in time, it was true. The RCE is not exactly a Struts issue alone, the Struts issue just opens the door to an unprotected field in a certain servlet container environment.
B) The fix for the last CVE was that crappy "^class\." filter, which I pointed out was insufficient. The Struts team quickly fixed that, but never bothered to update the "workaround" section in the last advisory to the less-terrible ".*\.class\..*" regex (or whatever it was). So if developers just implemented the work around from the advisory, they were obviously not protected. (In hindsight, they never were protected even with the better regex, but was just irresponsible not to make the second regex more public.)
Better suggestions are always welcome. We have a mail address to reach us for any concerns regarding security: security () struts apache org
C) The Struts team is playing whack-a-mole. Instead of fixing the root issue, they are just adding one blacklist regex after another, hoping no one figures out yet another way around it.
We try to protect users who are not using a properly configured security manager, as it is always recommended when working with application servers. Sometimes we seem to fail, indeed. As others, we don't seem to be perfect. BTW, we are not only blacklisting - the blacklist is applied for special cases that make it through the whitelist.
I urge you to take OGNL and *throw it out*. Replace it with something that allows only a white list of properties to be set, based on what the application defines as relevant. Until then, I'm recommending to my clients that they avoid Struts like the plague.
To what alternative? UEL? The attack vector is just using a simple getter semantic which basically works with any EL. Throwing out EL capabilities is no option for most users. Anyway, if somebody likes to help with more than just fingerpointing, he/she is heartly welcome! Regards René
tim 1. http://seclists.org/fulldisclosure/2014/Mar/53 On Thu, Apr 24, 2014 at 05:37:13PM +0200, Rene Gielen wrote:In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately, the correction wasn't sufficient. A security fix release fully addressing this issue is in preparation and will be released as soon as possible. Once the release is available, all Struts 2 users are strongly recommended to update their installations. * Until the release is available, all Struts 2 users are strongly recommended to apply the mitigation described in [1] * Please follow the Apache Struts announcement channels [2][3][4][5] to stay updated regarding the upcoming security release. Most likely the release will be available within the next 72 hours. Please prepare for upgrading all Struts 2 based production systems to the new release version once available. - The Apache Struts Team. [1] http://struts.apache.org/announce.html#a20140424 [2] http://struts.apache.org/mail.html [3] http://struts.apache.org/announce.html [4] https://plus.google.com/+ApacheStruts/posts [5] https://twitter.com/TheApacheStruts -- René Gielen http://twitter.com/rgielen _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
-- René Gielen http://twitter.com/rgielen _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical) Rene Gielen (Apr 24)
- Re: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical) Tim (Apr 25)
- Re: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical) Rene Gielen (Apr 25)
- Re: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical) Tim (Apr 25)
- Re: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical) Rene Gielen (Apr 26)
- Re: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical) Rene Gielen (Apr 28)
- Re: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical) Alexander Georgiev (Apr 26)
- Re: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical) Rene Gielen (Apr 27)
- Re: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical) Rene Gielen (Apr 25)
- Re: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical) Tim (Apr 25)
- Re: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical) Rene Gielen (Apr 25)