struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject svn commit: r983559 - /websites/production/struts/content/docs/s2-029.html
Date Thu, 24 Mar 2016 06:12:41 GMT
Author: lukaszlenart
Date: Thu Mar 24 06:12:41 2016
New Revision: 983559

Log:
Updates production

Modified:
    websites/production/struts/content/docs/s2-029.html

Modified: websites/production/struts/content/docs/s2-029.html
==============================================================================
--- websites/production/struts/content/docs/s2-029.html (original)
+++ websites/production/struts/content/docs/s2-029.html Thu Mar 24 06:12:41 2016
@@ -138,7 +138,7 @@ under the License.
 
     <div class="pagecontent">
         <div class="wiki-content">
-            <div id="ConfluenceContent"><h2 id="S2-029-Summary">Summary</h2>Forced
double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote
code execution.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution vulnerability</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Always validate incoming parameters'
values when re-assigning them
  to certain Struts' tags attributes.</p><p>Don't use %{...} syntax in tag attributes
other than <em>value</em> unless you have a valid use-case.</p><p>Alternatively
upgrade to <a shape="rect" href="version-notes-2328.html">Struts 2.3.28</a></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporters</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Romain Gaucher rgaucher at coverity
dot com - Coverity</p><p>Lupin lupin1314 at gmail dot com<a shape="rect" class="external-link"
href="http://www.coverity.com/" rel="nofollow">&#160;</a>-&#160;jd.com security
team</p><p>nike.zheng at dbappsecurity dot com dot cn - dbappsecurity team</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td
colspan
 ="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">CVE-2016-0785</span></p></td></tr></tbody></table></div><h2
id="S2-029-Problem">Problem</h2><p>The Apache Struts frameworks when forced,
performs double evaluation of attributes' values assigned to certain tags so it is possible
to pass in a value that will be evaluated again when a tag's attributes will be rendered.</p><h2
id="S2-029-Solution">Solution</h2><p>Adding a proper validation of each value
that's coming in and it's used in tag's attributes.</p><p>Don't use forced evaluation
of an attribute other than <em>value</em>&#160;using %{...} syntax unless
really needed for a valid use-case.&#160;</p><p>By&#160;<span style="line-height:
1.42857;">upgrading to Struts 2.3.28, possible malicious effects of forced double evaluation
are limited.</span></p><h2 id="S2-029-Backwardcompatibility">Backward compatibility</h2><p>No
issues expected when upgrading to Struts 2.3.28</p><h2 id="S2-029-Workaround">Workaroun
 d</h2><p>If you are using Struts 2.3.20, 2.3.24 or 2.3.24.1 you can redefine
<code>struts.excludedClasses</code>&#160;as showed below, for more details
please read&#160;<a shape="rect" href="security.html">internal security</a>
page.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
+            <div id="ConfluenceContent"><h2 id="S2-029-Summary">Summary</h2>Forced
double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote
code execution.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution vulnerability</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Always validate incoming parameters'
values when re-assigning them
  to certain Struts' tags attributes.</p><p>Don't use %{...} syntax in tag attributes
other than <em>value</em> unless you have a valid use-case.</p><p>Alternatively
upgrade to <a shape="rect" href="version-notes-2328.html">Struts 2.3.28</a></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporters</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Romain Gaucher rgaucher at coverity
dot com - Coverity</p><p>Lupin lupin1314 at gmail dot com<a shape="rect" class="external-link"
href="http://www.coverity.com/" rel="nofollow">&#160;</a>-&#160;jd.com security
team</p><p>nike.zheng at dbappsecurity dot com dot cn - dbappsecurity team</p><p>genxors
at gmail dot com - Qihoo 360 SkyEye Lab</p></td></tr><tr><th colspan="1"
rowspan="1" clas
 s="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p><span style="color: rgb(34,34,34);">CVE-2016-0785</span></p></td></tr></tbody></table></div><h2
id="S2-029-Problem">Problem</h2><p>The Apache Struts frameworks when forced,
performs double evaluation of attributes' values assigned to certain tags so it is possible
to pass in a value that will be evaluated again when a tag's attributes will be rendered.</p><h2
id="S2-029-Solution">Solution</h2><p>Adding a proper validation of each value
that's coming in and it's used in tag's attributes.</p><p>Don't use forced evaluation
of an attribute other than <em>value</em>&#160;using %{...} syntax unless
really needed for a valid use-case.&#160;</p><p>By&#160;<span style="line-height:
1.42857;">upgrading to Struts 2.3.28, possible malicious effects of forced double evaluation
are limited.</span></p><h2 id="S2-029-Backwardcompatibility">Backward compatibility</h2><p>No
issues expected when upgrading to
  Struts 2.3.28</p><h2 id="S2-029-Workaround">Workaround</h2><p>If
you are using Struts 2.3.20, 2.3.24 or 2.3.24.1 you can redefine <code>struts.excludedClasses</code>&#160;as
showed below, for more details please read&#160;<a shape="rect" href="security.html">internal
security</a> page.</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">   
&lt;constant name="struts.excludedClasses"
               value="
                 java.lang.Object,



Mime
View raw message