In Java and Java EE, typical vectors for RCEs, injecting code to be executed, include expressions where expression languages are supprted (JUEL, SpEL or, in the case of Struts 2, OGNL) or serialization attacks.
Once the code is injected, it operates with the OS rights of the running user (e.g. UID of Tomcat process) within the given limit of the JVM (is the JVM security sandbox enabled or not? what is accesible on your classloader?). Additional protections may apply, such as Struts adding preventions for accessig certain classes or packages when OGNL expressions are evaluated. This has happended A LOT in the last 20 years, not only with Struts. Am 14.08.20 um 02:07 schrieb Zahid Rahman: > Maybe I misunderstand , there has always existed an apache solution to > prevent anyone executing code on the application server. > Its like 20 years old solution. > > See www.backbutton.co.uk for more details. > https://backbutton.co.uk/ > > > > > On Thu, 13 Aug 2020, 11:18 Rene Gielen, <rgie...@apache.org> wrote: > >> Two new Struts Security Bulletins have been issued for Struts 2 by the >> Apache Struts Security Team: [1] >> >> S2-059 - Forced double OGNL evaluation, when evaluated on raw user input >> in tag attributes, may lead to remote code execution (CVE-2019-0230) [2] >> >> S2-060 - Access permission override causing a Denial of Service when >> performing a file upload (CVE-2019-0233) [3] >> >> Both issues affect Apache Struts in the version range 2.0.0 - 2.5.20. >> The current version 2.5.22, which was released in November 2019, is not >> affected. >> >> CVE-2019-0230 has been reported by Matthias Kaiser, Apple Information >> Security. By design, Struts 2 allows developers to utilize forced double >> evaluation for certain tag attributes. When used with unvalidated, user >> modifiable input, malicious OGNL expressions may be injected. In an >> ongoing effort, the Struts framework includes mitigations for limiting >> the impact of injected expressions, but Struts before 2.5.22 left an >> attack vector open which is addressed by this report. [2] >> >> However, we continue to urge developers building upon Struts 2 to not >> use %{...} syntax referencing unvalidated user modifiable input in tag >> attributes, since this is the ultimate fix for this class of >> vulnerabilities. [4] >> >> CVE-2019-0233 has been reported by Takeshi Terada of Mitsui Bussan >> Secure Directions, Inc. In Struts before 2.5.22, when a file upload is >> performed to an Action that exposes the file with a getter, an attacker >> may manipulate the request such that the working copy of the uploaded >> file or even the container temporary upload directory may be set to >> read-only access. As a result, subsequent actions on the file or file >> uploads in general will fail with an error. [3] >> >> Both issues are already fixed in Apache Struts 2.5.22, which was >> released in November 2019. >> >> We strongly recommend all users to upgrade to Struts 2.5.22, if this has >> not been done already. [5][6] >> >> The Apache Struts Security Team would like to thank the reporters for >> their efforts and their practice of responsible disclosure, as well as >> their help while investigating the report and coordinating public >> disclosure. >> >> [1] https://struts.apache.org/announce.html#a20200813 >> [2] https://cwiki.apache.org/confluence/display/ww/s2-059 >> [3] https://cwiki.apache.org/confluence/display/ww/s2-060 >> [4] >> >> https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions >> [5] https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22 >> [6] https://struts.apache.org/download.cgi#struts-ga >> >> -- >> René Gielen >> http://twitter.com/rgielen >> >> > -- René Gielen http://twitter.com/rgielen --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
