struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject svn commit: r986792 - in /websites/production/struts/content: announce.html docs/s2-029.html docs/s2-031.html docs/s2-032.html
Date Wed, 27 Apr 2016 04:50:26 GMT
Author: lukaszlenart
Date: Wed Apr 27 04:50:26 2016
New Revision: 986792

Log:
Updates production

Modified:
    websites/production/struts/content/announce.html
    websites/production/struts/content/docs/s2-029.html
    websites/production/struts/content/docs/s2-031.html
    websites/production/struts/content/docs/s2-032.html

Modified: websites/production/struts/content/announce.html
==============================================================================
--- websites/production/struts/content/announce.html (original)
+++ websites/production/struts/content/announce.html Wed Apr 27 04:50:26 2016
@@ -165,7 +165,7 @@ releases. The GA designation is our high
 The framework is designed to streamline the full development cycle, from building, to deploying,
 to maintaining applications over time.</p>
 
-<p>This release addresses two potential security vulnerabilities:</p>
+<p>These releases address three potential security vulnerabilities:</p>
 
 <ul>
   <li>

Modified: websites/production/struts/content/docs/s2-029.html
==============================================================================
--- websites/production/struts/content/docs/s2-029.html (original)
+++ websites/production/struts/content/docs/s2-029.html Wed Apr 27 04:50:26 2016
@@ -138,7 +138,7 @@ under the License.
 
     <div class="pagecontent">
         <div class="wiki-content">
-            <div id="ConfluenceContent"><h2 id="S2-029-Summary">Summary</h2>Forced
double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote
code execution.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution vulnerability</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Always validate incoming parameters'
values when re-assigning them
  to certain Struts' tags attributes.</p><p>Don't use %{...} syntax in tag attributes
other than <em>value</em> unless you have a valid use-case.</p><p>Alternatively
upgrade to <a shape="rect" href="version-notes-2328.html">Struts 2.3.28</a></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporters</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Romain Gaucher rgaucher at coverity
dot com - Coverity</p><p>Lupin lupin1314 at gmail dot com<a shape="rect" class="external-link"
href="http://www.coverity.com/" rel="nofollow">&#160;</a>-&#160;jd.com security
team</p><p>nike.zheng at dbappsecurity dot com dot cn - dbappsecurity team</p><p>genxors
at gmail dot com - Qihoo 360 SkyEye Lab</p></td></tr><tr><th colspan="1"
rowspan="1" clas
 s="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p><span style="color: rgb(34,34,34);">CVE-2016-0785</span></p></td></tr></tbody></table></div><h2
id="S2-029-Problem">Problem</h2><p>The Apache Struts frameworks when forced,
performs double evaluation of attributes' values assigned to certain tags so it is possible
to pass in a value that will be evaluated again when a tag's attributes will be rendered.</p><h2
id="S2-029-Solution">Solution</h2><p>Adding a proper validation of each value
that's coming in and it's used in tag's attributes.</p><p>Don't use forced evaluation
of an attribute other than <em>value</em>&#160;using %{...} syntax unless
really needed for a valid use-case.&#160;</p><p>By&#160;<span style="line-height:
1.42857;">upgrading to Struts 2.3.28, possible malicious effects of forced double evaluation
are limited.</span></p><h2 id="S2-029-Backwardcompatibility">Backward compatibility</h2><p>No
issues expected when upgrading to
  Struts 2.3.28</p><h2 id="S2-029-Workaround">Workaround</h2><p>If
you are using Struts 2.3.20, 2.3.24 or 2.3.24.1 you can redefine <code>struts.excludedClasses</code>&#160;as
showed below, for more details please read&#160;<a shape="rect" href="security.html">internal
security</a> page.</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
+            <div id="ConfluenceContent"><h2 id="S2-029-Summary">Summary</h2>Forced
double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote
code execution.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution vulnerability</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Always validate incoming parameters'
values when re-assigning them
  to certain Struts' tags attributes.</p><p>Don't use %{...} syntax in tag attributes
other than <em>value</em> unless you have a valid use-case.</p><p>Alternatively
upgrade to <a shape="rect" href="version-notes-23203.html">Struts 2.3.20.3</a>,
<a shape="rect" href="version-notes-23243.html">Struts 2.3.24.3</a> or <a shape="rect"
href="version-notes-2328.html">Struts 2.3.28</a></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts<span style="color:
rgb(23,35,59);"> 2.3.24.1 (except 2.3.20.3)</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporters</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Romain Gaucher rgaucher at coverity
dot com - Coverity</p><p>Lupin lupin1314 at gmail dot com<a shape="rect" class="external-link"
href="http://www.coverity.com/" rel="nofollow">&#160;</a>-&#160;jd.com security
team</p><p>nike.zheng at db
 appsecurity dot com dot cn - dbappsecurity team</p><p>genxors at gmail dot com
- Qihoo 360 SkyEye Lab</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p><span style="color: rgb(34,34,34);">CVE-2016-0785</span></p></td></tr></tbody></table></div><h2
id="S2-029-Problem">Problem</h2><p>The Apache Struts frameworks when forced,
performs double evaluation of attributes' values assigned to certain tags so it is possible
to pass in a value that will be evaluated again when a tag's attributes will be rendered.</p><h2
id="S2-029-Solution">Solution</h2><p>Adding a proper validation of each value
that's coming in and it's used in tag's attributes.</p><p>Don't use forced evaluation
of an attribute other than <em>value</em>&#160;using %{...} syntax unless
really needed for a valid use-case.&#160;</p><p>By&#160;<span style="line-height:
1.42857;">upgrading to Struts 2.3.20.3, 2.3.24.3 and 2.3.28, possible
  malicious effects of forced double evaluation are limited.</span></p><h2
id="S2-029-Backwardcompatibility">Backward compatibility</h2><p>No issues expected
when upgrading to Struts 2.3.20.3, 2.3.24.3 and 2.3.28</p><h2 id="S2-029-Workaround">Workaround</h2><p>If
you are using Struts 2.3.20, 2.3.24 or 2.3.24.1 you can redefine <code>struts.excludedClasses</code>&#160;as
showed below, for more details please read&#160;<a shape="rect" href="security.html">internal
security</a> page.</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">   
&lt;constant name="struts.excludedClasses"
               value="
                 java.lang.Object,

Modified: websites/production/struts/content/docs/s2-031.html
==============================================================================
--- websites/production/struts/content/docs/s2-031.html (original)
+++ websites/production/struts/content/docs/s2-031.html Wed Apr 27 04:50:26 2016
@@ -125,7 +125,7 @@ under the License.
 
     <div class="pagecontent">
         <div class="wiki-content">
-            <div id="ConfluenceContent"><h2 id="S2-031-Summary">Summary</h2><code>XSLTResult</code>
can be used to parse arbitrary stylesheet<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Always validate type and content
of uploaded files, do not expose them directly in your web application. Alternatively upgrade
to&#160;
 <a shape="rect" href="version-notes-2328.html">Struts 2.3.20.2</a><span>,
<a shape="rect" href="version-notes-2328.html">Struts 2.3.24.2</a><span>&#160;</span><span>or
</span></span><a shape="rect" href="version-notes-2328.html">Struts 2.3.28.1</a>.</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.28 (except 2.3.20.2 and 2.3.24.2)</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>GENXOR - genxors at gmail dot com
- Qihoo 360 SkyEye Lab</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2016-3082</p></td></tr></tbody></table></div><h2
id="S2-031-Problem">Problem</h2><p><code>XSLTResult</code>&#160;allows
for the location of a style
 sheet being passed as a request parameter. In some circumstances this can be used to inject
remotely executable code.</p><h2 id="S2-031-Solution">Solution</h2><p>Always
validate type and content of uploaded files. We encourage you to upgrade to one of the versions
of the Apache Struts presented above.</p><h2 id="S2-031-Backwardcompatibility">Backward
compatibility</h2><p>No issues expected when upgrading to Struts 2.3.20.2, 2.3.24.2
and 2.3.28.1</p><h2 id="S2-031-Workaround">Workaround</h2><p>Implement
your own&#160;<code>XSLTResult</code> based on code of the recommended versions.&#160;</p></div>
+            <div id="ConfluenceContent"><h2 id="S2-031-Summary">Summary</h2><code>XSLTResult</code>
can be used to parse arbitrary stylesheet<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Always validate type and content
of uploaded files, do not expose them directly in your web application. Alternatively upgrade
to&#160;
 <a shape="rect" href="version-notes-23203.html">Struts 2.3.20.3</a><span>,
<a shape="rect" href="version-notes-23243.html">Struts 2.3.24.3</a><span>&#160;</span><span>or
</span></span><a shape="rect" href="version-notes-2328.html">Struts 2.3.28.1</a>.</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3)</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>GENXOR - genxors at gmail dot com
- Qihoo 360 SkyEye Lab</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2016-3082</p></td></tr></tbody></table></div><h2
id="S2-031-Problem">Problem</h2><p><code>XSLTResult</code>&#160;allows
for the location of a sty
 lesheet being passed as a request parameter. In some circumstances this can be used to inject
remotely executable code.</p><h2 id="S2-031-Solution">Solution</h2><p>Always
validate type and content of uploaded files. We encourage you to upgrade to one of the versions
of the Apache Struts presented above.</p><h2 id="S2-031-Backwardcompatibility">Backward
compatibility</h2><p>No issues expected when upgrading to Struts 2.3.20.3, 2.3.24.3
and 2.3.28.1</p><h2 id="S2-031-Workaround">Workaround</h2><p>Implement
your own&#160;<code>XSLTResult</code> based on code of the recommended versions.&#160;</p></div>
         </div>
 
         

Modified: websites/production/struts/content/docs/s2-032.html
==============================================================================
--- websites/production/struts/content/docs/s2-032.html (original)
+++ websites/production/struts/content/docs/s2-032.html Wed Apr 27 04:50:26 2016
@@ -125,7 +125,7 @@ under the License.
 
     <div class="pagecontent">
         <div class="wiki-content">
-            <div id="ConfluenceContent"><h2 id="S2-032-Summary">Summary</h2>Remote
Code Execution can be performed via <code>method:</code> prefix when Dynamic Method
Invocation is enabled.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Disable Dynamic Method Invocation
if possible. Alternatively upgrade to&#160;<a shape="re
 ct" href="version-notes-2328.html">Struts 2.3.20.2</a><span>, <a shape="rect"
href="version-notes-2328.html">Struts 2.3.24.2</a><span>&#160;</span><span>or
</span></span><a shape="rect" href="version-notes-2328.html">Struts 2.3.28.1</a>.</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.20 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.28 (except 2.3.20.2 and 2.3.24.2)</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p><span>Nike Zheng </span>nike
dot zheng at dbappsecurity dot com dot cn</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-3081</p></td></tr></tbody></table></div><h2
id="S2-032-Problem">Problem</h2><p>It is possible to pass a malicious expression
which can be u
 sed to execute arbitrary code on server side when Dynamic Method Invocation is enabled.</p><h2
id="S2-032-Solution">Solution</h2><p>Disable Dynamic Method Invocation when
possible or upgrade to Apache Struts versions 2.3.20.2, 2.3.24.2 or 2.3.28.1.</p><h2
id="S2-032-Backwardcompatibility">Backward compatibility</h2><p>No issues expected
when upgrading to Struts 2.3.20.2, 2.3.24.2 and 2.3.28.1</p><h2 id="S2-032-Workaround">Workaround</h2><p>Disable
Dynamic Method Invocation or implement your own version of <code>ActionMapper</code>
based on a source code of the recommended Apache Struts versions.</p></div>
+            <div id="ConfluenceContent"><h2 id="S2-032-Summary">Summary</h2>Remote
Code Execution can be performed via <code>method:</code> prefix when Dynamic Method
Invocation is enabled.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Disable Dynamic Method Invocation
if possible. Alternatively upgrade to&#160;<a shape="re
 ct" href="version-notes-23203.html">Struts 2.3.20.3</a><span>, <a shape="rect"
href="version-notes-23243.html">Struts 2.3.24.3</a><span>&#160;</span><span>or
</span></span><a shape="rect" href="version-notes-2328.html">Struts 2.3.28.1</a>.</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.20 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3)</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p><span>Nike Zheng </span>nike
dot zheng at dbappsecurity dot com dot cn</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-3081</p></td></tr></tbody></table></div><h2
id="S2-032-Problem">Problem</h2><p>It is possible to pass a malicious expression
which can be
  used to execute arbitrary code on server side when Dynamic Method Invocation is enabled.</p><h2
id="S2-032-Solution">Solution</h2><p>Disable Dynamic Method Invocation when
possible or upgrade to Apache Struts versions 2.3.20.3, 2.3.24.3 or 2.3.28.1.</p><h2
id="S2-032-Backwardcompatibility">Backward compatibility</h2><p>No issues expected
when upgrading to Struts 2.3.20.3, 2.3.24.3 and 2.3.28.1</p><h2 id="S2-032-Workaround">Workaround</h2><p>Disable
Dynamic Method Invocation or implement your own version of <code>ActionMapper</code>
based on a source code of the recommended Apache Struts versions.</p></div>
         </div>
 
         



Mime
View raw message