Apache Struts2–052 vulnerability research alert-vulnerability warning-the black bar safety net

2017-09-0600:00:00

佚名

www.myhack58.com

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%

JSON

The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type of filtering and this can lead to Remote Code Execution when deserializing XML payloads. - The Apache Struts civil peace Bulletin(reference 1)
2017 9 5 March, the Apache Struts announcement of the latest ping notification Bulletin, the Apache Struts2 REST plug-in there a long code to fulfill the high-risk flaws, the flaws by lgtm. com peace fellow report instructions, the flaws numbered CVE-2017-9805（S2-052 to. Struts2 REST plugin XStream components deserialization flaws, the application of the XStream component of the XML pattern of the data packet to stop the reverse sequence of manipulation, not the data content to stop useful to verify, the presence of safe risks, can be long-distance onslaught with.
Struts2-enabled rest-plugin after and to prepare and set up XStreamHandler, the ability to incur long-distance order to fulfil this major achievement.
0x01 flaws affect the
Affect
Sure CVE-2017-9805 is a high-risk flaws. The reality of the scene, there must be limitations, need satisfaction must be the premise that non-struts their acquiescence to the opening of the Assembly.
Impact version
Version 2.5.0 to 2.5.12
Version 2.3.0 to 2.3.33
Fix version
The Struts 2.5.13
The Struts 2.3.34
0x02 flaws before
Tips details
! [](/Article/UploadPic/2017-9/201796185648496. png? www. myhack58. com)
文件/org/apache/struts2/rest/ContentTypeInterceptor.java
In the struts2 rest-plugin in the Dispose logic in the interface was the corresponding pattern of the news, will be diverted once the registration of the corresponding handler to the handler. the toobject way to stop it is instantiated, where the incoming xml news, to Is it will jump to once the world said XStreamHandler of the toobject way
! [](/Article/UploadPic/2017-9/201796185648956. png? www. myhack58. com)
In Britain at the end here fromXML way after incurring an instance of the vicious thoughts of the object to be fulfilled, leading to vicious thoughts of the code to fulfill
! [](/Article/UploadPic/2017-9/201796185648504. png? www. myhack58. com)
Then see the calculator is the victory pop-up
Flaws repair
! [](/Article/UploadPic/2017-9/201796185648972. png? www. myhack58. com)
The new version adds XStreamPermissionProvider
! [](/Article/UploadPic/2017-9/201796185648551. png? www. myhack58. com)
And will come there are scores of createXStream stop rewriting, adds check, rebuff uneven security class to fulfill
0x03 flaws in the application of verification
! [](/Article/UploadPic/2017-9/201796185648981. png? www. myhack58. com)
0x04 repair initiative

Civil initiative set the plugin to dispose of the data sample is limited to json
Upgrade Struts to 2. 5. 13 version or 2. 3. 34 version
In XStreamHandler stop data parity or reflection