Author: lukaszlenart
Date: Mon Jun 20 05:26:00 2016
New Revision: 991019
Log:
Updates production
Modified:
websites/production/struts/content/docs/s2-036.html
websites/production/struts/content/docs/s2-037.html
websites/production/struts/content/docs/s2-038.html
websites/production/struts/content/docs/s2-039.html
websites/production/struts/content/docs/s2-040.html
Modified: websites/production/struts/content/docs/s2-036.html
==============================================================================
--- websites/production/struts/content/docs/s2-036.html (original)
+++ websites/production/struts/content/docs/s2-036.html Mon Jun 20 05:26:00 2016
@@ -125,7 +125,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2
id="S2-036-Summary">Summary</h2>Forced double OGNL evaluation, when evaluated
on raw user input in tag attributes, may lead to remote code execution (similar
to S2-029)<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read
this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2
developers and users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution
vulnerability</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Always validate incoming parameters' values
when r
e-assigning them to certain Struts' tags attributes.</p><p>Don't use %{...}
syntax in tag attributes other than <em>value</em> unless you have a valid
use-case.</p><p>Alternatively upgrade to <a shape="rect"
href="version-notes-2328.html">Struts 2.3.29</a> or <a shape="rect"
href="version-notes-251.html">Struts 2.5.1</a></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts<span style="color:
rgb(23,35,59);"> 2.3.28.1</span></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Reporters</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><span
class="Apple-tab-span"><span>Alvaro</span> </span>Munoz alvaro dot munoz
at hpe.com</td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE
Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span
style="color: rgb(34,34,34);">CVE-2016-0785</span></p></td></tr></tbody></ta
ble></div><h2 id="S2-036-Problem">Problem</h2><p>The same issue was reported
in <a shape="rect" href="s2-029.html">S2-029</a> but the proposed solutions
were not fully proper. The Apache Struts frameworks when forced, performs
double evaluation of attributes' values assigned to certain tags so it is
possible to pass in a value that will be evaluated again when a tag's
attributes will be rendered.</p><h2 id="S2-036-Solution">Solution</h2><p>Adding
a proper validation of each value that's coming in and it's used in tag's
attributes.</p><p>Don't use forced evaluation of an attribute other than
<em>value</em> using %{...} syntax unless really needed for a valid
use-case. </p><p>By <span style="line-height: 1.42857;">upgrading to
Struts 2.3.29 or 2.5.1, possible malicious effects of forced double evaluation
are limited.</span></p><h2 id="S2-036-Backwardcompatibility">Backward
compatibility</h2><p>Some backward incompatibility issues are expected when
upgrading to Stru
ts 2.3.28 - it can happen that some OGNL expressions stop working because of
performing disallowed arithmetic operations and assigments.</p><h2
id="S2-036-Workaround">Workaround</h2><p>Not possible as this fix requires
changes in OGNL and how Struts uses OGNL in certain
aspects.</p><p> </p></div>
+ <div id="ConfluenceContent"><h2
id="S2-036-Summary">Summary</h2>Forced double OGNL evaluation, when evaluated
on raw user input in tag attributes, may lead to remote code execution (similar
to S2-029)<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read
this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2
developers and users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution
vulnerability</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Always validate incoming parameters' values
when r
e-assigning them to certain Struts' tags attributes.</p><p>Don't use %{...}
syntax in tag attributes other than <em>value</em> unless you have a valid
use-case.</p><p>Alternatively upgrade to <a shape="rect"
href="version-notes-2328.html">Struts 2.3.29</a> or <a shape="rect"
href="version-notes-251.html">Struts 2.5.1</a></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts<span style="color:
rgb(23,35,59);"> 2.3.28.1</span></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Reporters</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><span
class="Apple-tab-span"><span>Alvaro</span> </span>Munoz alvaro dot munoz
at hpe.com</td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE
Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span
style="color: rgb(34,34,34);">CVE-2016-0785</span></p></td></tr></tbody></ta
ble></div><h2 id="S2-036-Problem">Problem</h2><p>The same issue was reported
in <a shape="rect" href="s2-029.html">S2-029</a> but the proposed solutions
were not fully proper. The Apache Struts frameworks when forced, performs
double evaluation of attributes' values assigned to certain tags so it is
possible to pass in a value that will be evaluated again when a tag's
attributes will be rendered.</p><h2 id="S2-036-Solution">Solution</h2><p>Adding
a proper validation of each value that's coming in and it's used in tag's
attributes.</p><p>Don't use forced evaluation of an attribute other than
<em>value</em> using %{...} syntax unless really needed for a valid
use-case. </p><p>By <span style="line-height: 1.42857;">upgrading to
Struts 2.3.29 or 2.5.1, possible malicious effects of forced double evaluation
are limited.</span></p><h2 id="S2-036-Backwardcompatibility">Backward
compatibility</h2><p>Some backward incompatibility issues are expected when
upgrading to Stru
ts 2.3.29 - it can happen that some OGNL expressions stop working because of
performing disallowed arithmetic operations and assigments.</p><h2
id="S2-036-Workaround">Workaround</h2><p>Not possible as this fix requires
changes in OGNL and how Struts uses OGNL in certain
aspects.</p><p> </p></div>
</div>
Modified: websites/production/struts/content/docs/s2-037.html
==============================================================================
--- websites/production/struts/content/docs/s2-037.html (original)
+++ websites/production/struts/content/docs/s2-037.html Mon Jun 20 05:26:00 2016
@@ -125,7 +125,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2
id="S2-037-Summary">Summary</h2>Remote Code Execution can be performed when
using REST Plugin.<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible Remote Code
Execution</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Upgrade to<span> </span><a
shape="rect" href="version-notes-2329.html">Struts
2.3.29</a>.</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.3.20 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.28.1</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Chao Jack <span style="color:
rgb(34,34,34);">PKAV_香草</span> jc1990999 at yahoo dot
com</p><p>Shinsaku Nomura nomura at bitforest dot jp</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td
colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2016-4438</p></td></tr></tbody></table></div><h2
id="S2-037-Problem">Problem</h2><p>It is possible to pass a malicious
expression which can be used to execute arbitrary code on server side when
using the REST Plugin.</p><h2 id="S2-037-Solution">Solution</h2><p>Upgrade to
Apache Struts version 2.3.29.</p><h2 id="S2-037-Backwardcompatibility">Backward
compatibility</h2><p>Som
e backward incompatibility issues are expected when upgrading to Struts 2.3.28
- it can happen that some OGNL expressions stop working because of performing
disallowed arithmetic operations and assigments.</p><h2
id="S2-037-Workaround">Workaround</h2><p>Not possible as this fix requires
changes in OGNL and how Struts uses OGNL in certain aspects.</p></div>
+ <div id="ConfluenceContent"><h2
id="S2-037-Summary">Summary</h2>Remote Code Execution can be performed when
using REST Plugin.<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible Remote Code
Execution</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Upgrade to<span> </span><a
shape="rect" href="version-notes-2329.html">Struts
2.3.29</a>.</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.3.20 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.28.1</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Chao Jack <span style="color:
rgb(34,34,34);">PKAV_香草</span> jc1990999 at yahoo dot
com</p><p>Shinsaku Nomura nomura at bitforest dot jp</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td
colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2016-4438</p></td></tr></tbody></table></div><h2
id="S2-037-Problem">Problem</h2><p>It is possible to pass a malicious
expression which can be used to execute arbitrary code on server side when
using the REST Plugin.</p><h2 id="S2-037-Solution">Solution</h2><p>Upgrade to
Apache Struts version 2.3.29.</p><h2 id="S2-037-Backwardcompatibility">Backward
compatibility</h2><p>Som
e backward incompatibility issues are expected when upgrading to Struts 2.3.29
- it can happen that some OGNL expressions stop working because of performing
disallowed arithmetic operations and assigments.</p><h2
id="S2-037-Workaround">Workaround</h2><p>Not possible as this fix requires
changes in OGNL and how Struts uses OGNL in certain aspects.</p></div>
</div>
Modified: websites/production/struts/content/docs/s2-038.html
==============================================================================
--- websites/production/struts/content/docs/s2-038.html (original)
+++ websites/production/struts/content/docs/s2-038.html Mon Jun 20 05:26:00 2016
@@ -138,7 +138,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2 id="S2-038-Summary">Summary</h2>It
is possible to bypass token validation and perform a CSRF attack<div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible CSRF attack</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security
rating</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Upgrade to<span> </span><a shape="rect"
href="version-notes-2329.html">Struts 2.3.29</a>.</p></td></tr><tr><th
colspan="1" rowspan="1" cla
ss="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.3.20 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.28.1</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Takeshi Terada websec02 dot g02 at
gmail.com</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2016-4430</p></td></tr></tbody></table></div><h2
id="S2-038-Problem">Problem</h2><p>It is possible to pass a malicious
expression which can be used to bypass token validation and perform CSRF
attack.</p><h2 id="S2-038-Solution">Solution</h2><p>Upgrade to Apache Struts
version 2.3.29.</p><h2 id="S2-038-Backwardcompatibility">Backward
compatibility</h2><p>Some backward incompatibility issues are expected when
upgrading to Struts 2.3.28 - it can happen that some OGNL expressions stop
working because of performing disallowed arithmetic operations and
assignments.</p><h2 id="S2-038-Workaround">Workaround</h2><p>You can try to use
more restrictive RegEx used to clean up action names as below:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
+ <div id="ConfluenceContent"><h2 id="S2-038-Summary">Summary</h2>It
is possible to bypass token validation and perform a CSRF attack<div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible CSRF attack</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security
rating</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Upgrade to<span> </span><a shape="rect"
href="version-notes-2329.html">Struts 2.3.29</a>.</p></td></tr><tr><th
colspan="1" rowspan="1" cla
ss="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.3.20 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.28.1</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Takeshi Terada websec02 dot g02 at
gmail.com</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2016-4430</p></td></tr></tbody></table></div><h2
id="S2-038-Problem">Problem</h2><p>It is possible to pass a malicious
expression which can be used to bypass token validation and perform CSRF
attack.</p><h2 id="S2-038-Solution">Solution</h2><p>Upgrade to Apache Struts
version 2.3.29.</p><h2 id="S2-038-Backwardcompatibility">Backward
compatibility</h2><p>Some backward incompatibility issues are expected when
upgrading to Struts 2.3.29 - it can happen that some OGNL expressions stop
working because of performing disallowed arithmetic operations and
assignments.</p><h2 id="S2-038-Workaround">Workaround</h2><p>You can try to use
more restrictive RegEx used to clean up action names as below:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><constant name="struts.allowed.action.names"
value="[a-zA-Z]*" /></pre>
</div></div><p>Please adjust the RegEx to your action naming pattern, it
should be as narrowed as possible.</p></div>
</div>
Modified: websites/production/struts/content/docs/s2-039.html
==============================================================================
--- websites/production/struts/content/docs/s2-039.html (original)
+++ websites/production/struts/content/docs/s2-039.html Mon Jun 20 05:26:00 2016
@@ -138,7 +138,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2
id="S2-039-Summary">Summary</h2>Getter as action method leads to security
bypass<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read
this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2
developers and users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible manipulation of return result and
bypassing validation</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Upgrade to<span> </span><a
shape="rect" href="version-notes-2329.html">Struts
2.3.29</a>.</p></td></tr><tr><th col
span="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.20 - Struts <span
style="color: rgb(23,35,59);">Struts 2.3.28.1</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Takeshi Terada websec02 dot g02
at gmail.com</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2016-4433</p></td></tr></tbody></table></div><h2
id="S2-039-Problem">Problem</h2><p>It is possible to pass a crafted request
which can be used to bypass internal security mechanism and manipulate return
string which can leads to redirecting user to unvalidated location.</p><h2
id="S2-039-Solution">Solution</h2><p>Upgrade to Apache Struts version
2.3.29.</p><h2 id="S2-039-Backwardcompatibility">Backward
compatibility</h2><p>Some backward incompatibility issu
es are expected when upgrading to Struts 2.3.28 - it can happen that some OGNL
expressions stop working because of performing disallowed arithmetic operations
and assignments.</p><h2 id="S2-039-Workaround">Workaround</h2><p>You can try to
use more restrictive RegEx used to clean up action names as below:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
+ <div id="ConfluenceContent"><h2
id="S2-039-Summary">Summary</h2>Getter as action method leads to security
bypass<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read
this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2
developers and users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible manipulation of return result and
bypassing validation</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Upgrade to<span> </span><a
shape="rect" href="version-notes-2329.html">Struts
2.3.29</a>.</p></td></tr><tr><th col
span="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.20 - Struts <span
style="color: rgb(23,35,59);">Struts 2.3.28.1</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Takeshi Terada websec02 dot g02
at gmail.com</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2016-4433</p></td></tr></tbody></table></div><h2
id="S2-039-Problem">Problem</h2><p>It is possible to pass a crafted request
which can be used to bypass internal security mechanism and manipulate return
string which can leads to redirecting user to unvalidated location.</p><h2
id="S2-039-Solution">Solution</h2><p>Upgrade to Apache Struts version
2.3.29.</p><h2 id="S2-039-Backwardcompatibility">Backward
compatibility</h2><p>Some backward incompatibility issu
es are expected when upgrading to Struts 2.3.29 - it can happen that some OGNL
expressions stop working because of performing disallowed arithmetic operations
and assignments.</p><h2 id="S2-039-Workaround">Workaround</h2><p>You can try to
use more restrictive RegEx used to clean up action names as below:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><constant name="struts.allowed.action.names"
value="[a-zA-Z]*" /></pre>
</div></div><p>Please adjust the RegEx to your action naming pattern, it
should be as narrowed as possible.</p></div>
</div>
Modified: websites/production/struts/content/docs/s2-040.html
==============================================================================
--- websites/production/struts/content/docs/s2-040.html (original)
+++ websites/production/struts/content/docs/s2-040.html Mon Jun 20 05:26:00 2016
@@ -138,7 +138,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2
id="S2-040-Summary">Summary</h2>Input validation bypass using existing default
action method.<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible manipulation of return result and
bypassing validation</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Upgrade to<span> </span><a
shape="rect" href="version-notes-2329.html">Struts 2.3.29</a>.</p></td></t
r><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected
Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts
2.3.20 - Struts <span style="color: rgb(23,35,59);">Struts
2.3.28.1</span></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Takeshi Terada websec02 dot g02 at
gmail.com</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2016-4431</p></td></tr></tbody></table></div><h2
id="S2-040-Problem">Problem</h2><p>Using existing default method it can be
possible to bypass internal security mechanism and manipulate return string
which can leads to redirecting user to unvalidated location.</p><h2
id="S2-040-Solution">Solution</h2><p>Upgrade to Apache Struts version
2.3.29.</p><h2 id="S2-040-Backwardcompatibility">Backward
compatibility</h2><p>Some backward incompatibility i
ssues are expected when upgrading to Struts 2.3.28 - it can happen that some
OGNL expressions stop working because of performing disallowed arithmetic
operations and assignments.</p><h2 id="S2-040-Workaround">Workaround</h2><p>You
can try to use more restrictive RegEx used to clean up action names as
below:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
+ <div id="ConfluenceContent"><h2
id="S2-040-Summary">Summary</h2>Input validation bypass using existing default
action method.<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible manipulation of return result and
bypassing validation</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Upgrade to<span> </span><a
shape="rect" href="version-notes-2329.html">Struts 2.3.29</a>.</p></td></t
r><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected
Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts
2.3.20 - Struts <span style="color: rgb(23,35,59);">Struts
2.3.28.1</span></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Takeshi Terada websec02 dot g02 at
gmail.com</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2016-4431</p></td></tr></tbody></table></div><h2
id="S2-040-Problem">Problem</h2><p>Using existing default method it can be
possible to bypass internal security mechanism and manipulate return string
which can leads to redirecting user to unvalidated location.</p><h2
id="S2-040-Solution">Solution</h2><p>Upgrade to Apache Struts version
2.3.29.</p><h2 id="S2-040-Backwardcompatibility">Backward
compatibility</h2><p>Some backward incompatibility i
ssues are expected when upgrading to Struts 2.3.29 - it can happen that some
OGNL expressions stop working because of performing disallowed arithmetic
operations and assignments.</p><h2 id="S2-040-Workaround">Workaround</h2><p>You
can try to use more restrictive RegEx used to clean up action names as
below:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><constant name="struts.allowed.action.names"
value="[a-zA-Z]*" /></pre>
</div></div><p>Please adjust the RegEx to your action naming pattern, it
should be as narrowed as possible.</p></div>
</div>
