CVE-2019-0230: Apache struts 2.0.0 to 2.5.20: possible RCE due to forced double OGNL evaluation
Virsec Security Research Lab Vulnerability Report
The Virsec Security Research Lab, helmed by Virsec CTO, Satya Gupta, provides timely, relevant analysis about prevalent security vulnerabilities.
1.1 Vulnerability Summary
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. The Apache Struts frameworks, when forced, performs double evaluation of attributes’ values assigned to certain tags attributes such as “id” so it is possible to pass in a value that will be evaluated again when a tag’s attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE). The problem only applies when forcing OGNL evaluation inside a Struts tag attribute, when the expression to evaluate references raw, unvalidated input that an attacker can directly modify by crafting a corresponding request.
As per Redhat, if an attacker crafts a malicious request, they can cause an RCE. The largest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base Score is 9.8 (Critical)
1.3 Affected Version
Apache Struts 2.0.0 to 2.5.20.
1.4 Vulnerability Attribution
As per Apache, this exploit has been discovered by Matthias Kaiser from Apple Information Security.
1.5 Risk Impact
Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON. Apache Struts is a tool in the Frameworks (Full Stack) category and as per stackshare, a lot of companies uses them in there tech stack.
Post Equifax breach, survey by famous security magazine found that found 65 of the Fortune Global 100 have downloaded vulnerable versions of Struts, it is popular framework. Publicly available exploits are available for this vulnerability.
1.6 Virsec Security Platform (VSP) Support:
VSP-Host monitors processes that are spawned which are not part of a set of whitelisted process. Any attempt to execute new command or unknown binary would be denied by VSP-Host’s Process Monitoring capability.
1.7 Reference Links:
- https://cwiki.apache.org/confluence/display/ww/s2-059
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0230
- https://github.com/PrinceFPF/CVE-2019-0230/blob/master/CVE-2019-0230.sh
Download the full vulnerability report to learn more about this and other important vulnerabilities.
The post CVE-2019-0230: Apache struts 2.0.0 to 2.5.20: possible RCE due to forced double OGNL evaluation appeared first on Virsec Systems.
*** This is a Security Bloggers Network syndicated blog from Blog – Virsec Systems authored by Satya Gupta. Read the original post at: https://virsec.com/cve-2019-0230-apache-struts-2-0-0-to-2-5-20-possible-rce-due-to-forced-double-ognl-evaluation/
