Thanks , I will setup tomcat with apache As described here https://en.m.wikipedia.org/wiki/Apache_JServ_Protocol
Then try to replicate OGNL injection vulnerability. It should be fun ! On Fri, 14 Aug 2020, 07:38 Rene Gielen, <rgie...@apache.org> wrote: > In Java and Java EE, typical vectors for RCEs, injecting code to be > executed, include expressions where expression languages are supprted > (JUEL, SpEL or, in the case of Struts 2, OGNL) or serialization attacks. > > Once the code is injected, it operates with the OS rights of the running > user (e.g. UID of Tomcat process) within the given limit of the JVM (is > the JVM security sandbox enabled or not? what is accesible on your > classloader?). Additional protections may apply, such as Struts adding > preventions for accessig certain classes or packages when OGNL > expressions are evaluated. > > This has happended A LOT in the last 20 years, not only with Struts. > > Am 14.08.20 um 02:07 schrieb Zahid Rahman: > > Maybe I misunderstand , there has always existed an apache solution to > > prevent anyone executing code on the application server. > > Its like 20 years old solution. > > > > See www.backbutton.co.uk for more details. > > https://backbutton.co.uk/ > > > > > > > > > > On Thu, 13 Aug 2020, 11:18 Rene Gielen, <rgie...@apache.org> wrote: > > > >> Two new Struts Security Bulletins have been issued for Struts 2 by the > >> Apache Struts Security Team: [1] > >> > >> S2-059 - Forced double OGNL evaluation, when evaluated on raw user input > >> in tag attributes, may lead to remote code execution (CVE-2019-0230) [2] > >> > >> S2-060 - Access permission override causing a Denial of Service when > >> performing a file upload (CVE-2019-0233) [3] > >> > >> Both issues affect Apache Struts in the version range 2.0.0 - 2.5.20. > >> The current version 2.5.22, which was released in November 2019, is not > >> affected. > >> > >> CVE-2019-0230 has been reported by Matthias Kaiser, Apple Information > >> Security. By design, Struts 2 allows developers to utilize forced double > >> evaluation for certain tag attributes. When used with unvalidated, user > >> modifiable input, malicious OGNL expressions may be injected. In an > >> ongoing effort, the Struts framework includes mitigations for limiting > >> the impact of injected expressions, but Struts before 2.5.22 left an > >> attack vector open which is addressed by this report. [2] > >> > >> However, we continue to urge developers building upon Struts 2 to not > >> use %{...} syntax referencing unvalidated user modifiable input in tag > >> attributes, since this is the ultimate fix for this class of > >> vulnerabilities. [4] > >> > >> CVE-2019-0233 has been reported by Takeshi Terada of Mitsui Bussan > >> Secure Directions, Inc. In Struts before 2.5.22, when a file upload is > >> performed to an Action that exposes the file with a getter, an attacker > >> may manipulate the request such that the working copy of the uploaded > >> file or even the container temporary upload directory may be set to > >> read-only access. As a result, subsequent actions on the file or file > >> uploads in general will fail with an error. [3] > >> > >> Both issues are already fixed in Apache Struts 2.5.22, which was > >> released in November 2019. > >> > >> We strongly recommend all users to upgrade to Struts 2.5.22, if this has > >> not been done already. [5][6] > >> > >> The Apache Struts Security Team would like to thank the reporters for > >> their efforts and their practice of responsible disclosure, as well as > >> their help while investigating the report and coordinating public > >> disclosure. > >> > >> [1] https://struts.apache.org/announce.html#a20200813 > >> [2] https://cwiki.apache.org/confluence/display/ww/s2-059 > >> [3] https://cwiki.apache.org/confluence/display/ww/s2-060 > >> [4] > >> > >> > https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions > >> [5] https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22 > >> [6] https://struts.apache.org/download.cgi#struts-ga > >> > >> -- > >> René Gielen > >> http://twitter.com/rgielen > >> > >> > > > > -- > René Gielen > http://twitter.com/rgielen > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
