Repository: struts-site Updated Branches: refs/heads/asf-site 073acc782 -> 5474d2180
Updates exported docs Project: http://git-wip-us.apache.org/repos/asf/struts-site/repo Commit: http://git-wip-us.apache.org/repos/asf/struts-site/commit/5474d218 Tree: http://git-wip-us.apache.org/repos/asf/struts-site/tree/5474d218 Diff: http://git-wip-us.apache.org/repos/asf/struts-site/diff/5474d218 Branch: refs/heads/asf-site Commit: 5474d2180b70e8c7db385c5ae8698a88da8bfa5b Parents: 073acc7 Author: Lukasz Lenart <lukaszlen...@apache.org> Authored: Mon Sep 11 07:55:51 2017 +0200 Committer: Lukasz Lenart <lukaszlen...@apache.org> Committed: Mon Sep 11 07:55:51 2017 +0200 ---------------------------------------------------------------------- content/docs/s2-053.html | 8 ++++++-- content/docs/version-notes-2334.html | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts-site/blob/5474d218/content/docs/s2-053.html ---------------------------------------------------------------------- diff --git a/content/docs/s2-053.html b/content/docs/s2-053.html index 53996f8..ab21108 100644 --- a/content/docs/s2-053.html +++ b/content/docs/s2-053.html @@ -141,8 +141,12 @@ under the License. <div class="wiki-content"> <div id="ConfluenceContent"><h2 id="S2-053-Summary">Summary</h2>A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>A RCE attack is possible when developer is using wrong construction in Freemarker tags</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Moderate</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape ="rect" href="version-notes-2512.html">Struts 2.5.12</a> or <a shape="rect" href="version-notes-2334.html">Struts 2.3.34</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span>Struts 2.0.1 -</span><span style="color: rgb(23,35,59);"> Struts 2.3.33, </span>Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.10</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span>Lupin <lupin1314 at gmail dot com> - </span><a shape="rect" class="external-link" href="http://jd.com/"; rel="nofollow">jd.com</a><span> security team<br clear="none"></span></p><p>David Greene <david at trumpetx dot com></p><p>Roland McIntosh <struts at rgm dot nu></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"> <p>CVE-2017-12611</p></td></tr></tbody></table></div><h2 id="S2-053-Problem">Problem</h2><p>When using expression literals or forcing expression in Freemarker tags (see example below) and using request values can lead to RCE attack.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> <pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"><@s.hidden name="redirectUri" value=redirectUri /> -<@s.hidden name="redirectUri" value="${redirectUri}" /></pre> -</div></div><p>In both cases a writable property is used in the <code>value</code> attribute and in both cases this is threatened as an expression by Freemarker.</p><p><span style="font-size: 20.0px;">Solution</span></p><p>Do not use such constructions in your code or use read-only properties to initialise the <code>value</code> attribute (property with getter only). You can upgrade to Apache Struts version 2.5.12 or 2.3.34 which contain more restricted Freemarker configuration but removing vulnerable constructions is preferable.</p><h2 id="S2-053-Backwardcompatibility">Backward compatibility</h2><p>No backward incompatibility issues are expected.</p><h2 id="S2-053-Workaround">Workaround</h2><p>Inspect your code and remove vulnerable constructions.</p><p> </p></div> +<@s.hidden name="redirectUri" value="${redirectUri}" /> +<@s.hidden name="${redirectUri}"/></pre> +</div></div><p>In both cases a writable property is used in the <code>value</code> attribute and in both cases this is threatened as an expression by Freemarker. Please be aware that using Struts expression evaluation style is safe:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> +<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"><@s.hidden name="redirectUri" value="%{redirectUri}" /> +<@s.hidden name="%{redirectUri}"/></pre> +</div></div><p><span style="font-size: 20.0px;">Solution</span></p><p>Do not use such constructions in your code or use read-only properties to initialise the <code>value</code> attribute (property with getter only). You can upgrade to Apache Struts version 2.5.12 or 2.3.34 which contain more restricted Freemarker configuration but removing vulnerable constructions is preferable.</p><h2 id="S2-053-Backwardcompatibility">Backward compatibility</h2><p>No backward incompatibility issues are expected.</p><h2 id="S2-053-Workaround">Workaround</h2><p>Inspect your code and remove vulnerable constructions.</p><p> </p></div> </div> http://git-wip-us.apache.org/repos/asf/struts-site/blob/5474d218/content/docs/version-notes-2334.html ---------------------------------------------------------------------- diff --git a/content/docs/version-notes-2334.html b/content/docs/version-notes-2334.html index 83a32b5..aaff8da 100644 --- a/content/docs/version-notes-2334.html +++ b/content/docs/version-notes-2334.html @@ -156,7 +156,7 @@ under the License. <url>https://repository.apache.org/content/groups/staging/</url> </repository> </repositories></pre> -</div></div><h2 id="VersionNotes2.3.34-InternalChanges">Internal Changes</h2><ul><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2a2.1/_/images/icons/emoticons/warning.png"; data-emoticon-name="warning" alt="(warning)"> A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047), see <a shape="rect" href="s2-050.html">S2-050</a></li><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2a2.1/_/images/icons/emoticons/warning.png"; data-emoticon-name="warning" alt="(warning)"> A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin, see <a shape="rect" href="s2-051.html">S2-051</a></li><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2 a2.1/_/images/icons/emoticons/warning.png" data-emoticon-name="warning" alt="(warning)"> Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads, see <a shape="rect" href="s2-052.html">S2-052</a></li><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2a2.1/_/images/icons/emoticons/warning.png"; data-emoticon-name="warning" alt="(warning)"> A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals, see <a shape="rect" href="s2-053.html">S2-053</a></li></ul><h3 id="VersionNotes2.3.34-Bug">Bug</h3><ul><li>[<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4176";>WW-4176</a>] - Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is ignored, Numeric Keys will work and mapped</li><li>[<a shape="rect" class="external-li nk" href="https://issues.apache.org/jira/browse/WW-4817";>WW-4817</a>] - Threads get blocked due to unnecessary synchronization in OgnlRuntime</li></ul><h3 id="VersionNotes2.3.34-Dependency">Dependency</h3><ul><li>[<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4832";>WW-4832</a>] - Upgrade to OGNL 3.0.21</li><li>[<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4844";>WW-4844</a>] - Upgrade to struts-master 11</li></ul><h3 id="VersionNotes2.3.34-Improvement">Improvement</h3><ul><li>[<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4834";>WW-4834</a>] - Improve RegEx used to validate URLs</li></ul><p> </p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>This release contains fixes related to <a shape ="rect" href="s2-050.html">S2-050</a>, <a shape="rect" href="s2-051.html">S2-051</a>, <a shape="rect" href="s2-052.html">S2-052</a> and <a shape="rect" href="s2-053.html">S2-053</a> -<span> </span>please read them carefully!</p></div></div><h3 id="VersionNotes2.3.34-IssueDetail">Issue Detail</h3><ul><li><a shape="rect" class="external-link" href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12340265&projectId=12311041";>JIRA Release Notes 2.3.33</a></li></ul><h3 id="VersionNotes2.3.34-IssueList">Issue List</h3><ul><li><a shape="rect" class="external-link" href="https://issues.apache.org/jira/issues/?filter=12341909";>Struts 2.3.34 DONE</a></li><li><a shape="rect" class="external-link" href="https://issues.apache.org/jira/issues/?filter=12318399";>Struts 2.3.x TODO</a></li></ul><h3 id="VersionNotes2.3.34-Otherresources">Other resources</h3><ul><li><a shape="rect" class="external-link" href="http://www.mail-archive.com/commits%40struts.apache.org/"; rel="nofollo w">Commit Logs</a></li><li><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=struts.git;a=tree;h=refs/heads/develop;hb=develop";>Source Code Repository</a></li></ul><div><span style="font-size: 24.0px;line-height: 30.0px;"><br clear="none"></span></div><div><span style="font-size: 24.0px;line-height: 30.0px;background-color: rgb(245,245,245);"><br clear="none"></span></div></div> +</div></div><h2 id="VersionNotes2.3.34-InternalChanges">Internal Changes</h2><ul><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2a2.1/_/images/icons/emoticons/warning.png"; data-emoticon-name="warning" alt="(warning)"> A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047), see <a shape="rect" href="s2-050.html">S2-050</a></li><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2a2.1/_/images/icons/emoticons/warning.png"; data-emoticon-name="warning" alt="(warning)"> A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin, see <a shape="rect" href="s2-051.html">S2-051</a></li><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2 a2.1/_/images/icons/emoticons/warning.png" data-emoticon-name="warning" alt="(warning)"> Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads, see <a shape="rect" href="s2-052.html">S2-052</a></li><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2a2.1/_/images/icons/emoticons/warning.png"; data-emoticon-name="warning" alt="(warning)"> A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals, see <a shape="rect" href="s2-053.html">S2-053</a></li></ul><h3 id="VersionNotes2.3.34-Bug">Bug</h3><ul><li>[<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4176";>WW-4176</a>] - Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is ignored, Numeric Keys will work and mapped</li><li>[<a shape="rect" class="external-li nk" href="https://issues.apache.org/jira/browse/WW-4817";>WW-4817</a>] - Threads get blocked due to unnecessary synchronization in OgnlRuntime</li></ul><h3 id="VersionNotes2.3.34-Dependency">Dependency</h3><ul><li>[<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4832";>WW-4832</a>] - Upgrade to OGNL 3.0.21</li><li>[<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4844";>WW-4844</a>] - Upgrade to struts-master 11</li></ul><h3 id="VersionNotes2.3.34-Improvement">Improvement</h3><ul><li>[<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4834";>WW-4834</a>] - Improve RegEx used to validate URLs</li></ul><p> </p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>This release contains fixes related to <a shape ="rect" href="s2-050.html">S2-050</a>, <a shape="rect" href="s2-051.html">S2-051</a>, <a shape="rect" href="s2-052.html">S2-052</a> and <a shape="rect" href="s2-053.html">S2-053</a> -<span> </span>please read them carefully!</p></div></div><h3 id="VersionNotes2.3.34-IssueDetail">Issue Detail</h3><ul><li><a shape="rect" class="external-link" href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12341270&projectId=12311041";>JIRA Release Notes 2.3.34</a></li></ul><h3 id="VersionNotes2.3.34-IssueList">Issue List</h3><ul><li><a shape="rect" class="external-link" href="https://issues.apache.org/jira/issues/?filter=12341909";>Struts 2.3.34 DONE</a></li><li><a shape="rect" class="external-link" href="https://issues.apache.org/jira/issues/?filter=12318399";>Struts 2.3.x TODO</a></li></ul><h3 id="VersionNotes2.3.34-Otherresources">Other resources</h3><ul><li><a shape="rect" class="external-link" href="http://www.mail-archive.com/commits%40struts.apache.org/"; rel="nofollo w">Commit Logs</a></li><li><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=struts.git;a=tree;h=refs/heads/develop;hb=develop";>Source Code Repository</a></li></ul><div><span style="font-size: 24.0px;line-height: 30.0px;"><br clear="none"></span></div><div><span style="font-size: 24.0px;line-height: 30.0px;background-color: rgb(245,245,245);"><br clear="none"></span></div></div> </div>
![https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2a2.1/_/images/icons/emoticons/warning.png"](https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2a2.1/_/images/icons/emoticons/warning.png"){kind=link}