You are here

U-089:Apache Struts ParameterInterceptor() Flaw Lets Remote Users Execute Arbitrary Commands

January 26, 2012 - 6:45am

Addthis

PROBLEM:

Apache Struts ParameterInterceptor() Flaw Lets Remote Users Execute Arbitrary Commands

PLATFORM:

Struts 2.0.0 - Struts 2.3.1.1

ABSTRACT:

A remote user can execute arbitrary code on the target system.

reference LINKS:

CVE-2011-3923
SecurityTracker Alert ID: 1026575
Apache Struts 2 Documentation S2-009
blog.o0o.nu

IMPACT ASSESSMENT:

High

Discussion:

A vulnerability was reported in Apache Struts. The vulnerability allows a malicious user to bypass all the protections (regex pattern, deny method invocation) built into the ParametersInterceptor, thus being able to inject a malicious expression in any exposed string variable for further evaluation. The code will run with the privileges of the target web service.

Impact:

A remote user can execute arbitrary commands on the target system.

Solution:

Please follow recommendations outlined in S2-009 and upgrade to 2.3.1.2.

Addthis