In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.

The version of Oracle WebLogic Server installed on the remote host is affected by multiple Apache Struts 2 vulnerabilities.  One of the following vulnerabilities was detected on the asset:

  - CVE-2017-5638: The Jakarta Multipart parser in Apache Struts 2,   specifically 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
  - CVE-2017-7672: Apache Struts version < 2.5.12
  - CVE-2017-9787: Apache Struts version < 2.5.12 or < 2.3.33
  - CVE-2017-9791: Struts 1 plugin in Apache Struts 2.3.x
  - CVE-2017-9793: Apache Struts < 2.3.7 - 2.3.33 & < 2.5 - 2.5.12
  - CVE-2017-9804: Apache Struts 2.3.7 -2.3.33 & 2.5 - 2.5.12
  - CVE-2017-12611: Apache Struts 2.0.1 - 2.3.33 & 2.5 - 2.5.10

The version of Apache Struts running on the remote host is 2.1.x subsequent or equal to 2.1.2, 2.2.x, 2.3.x prior to 2.3.34, or 2.5.x prior to 2.5.13. It is, therefore, affected by multiple vulnerabilities:

  - A remote code execution vulnerability in the REST plugin. The     Struts REST plugin uses an XStreamHandler with an instance of     XStream for deserialization and does not perform any type     filtering when deserializing XML payloads. This can allow an     unauthenticated, remote attacker to execute arbitrary code in the     context of the Struts REST plugin by sending a specially crafted     XML payload. (CVE-2017-9805)

  - A denial of service vulnerability in the XStream XML deserializer     in the XStreamHandler used by the REST plugin. (CVE-2017-9793)

  - A denial of service vulnerability when using URLValidator.
    (CVE-2017-9804)

  - A flaw exists related to 'freemarker' tags, expression literals,     'views/freemarker/FreemarkerManager.java', and forced     expressions that allows arbitrary code execution.
    (CVE-2017-12611)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
103663	Oracle WebLogic Server Multiple Vulnerabilities	Nessus	Misc.	critical
102960	Apache Struts 2.1.x >= 2.1.2 / 2.2.x / 2.3.x < 2.3.34 / 2.5.x < 2.5.13 Multiple Vulnerabilities (S2-050 - S2-053)	Nessus	Misc.	critical

Detections

Analytics

CVE-2017-9804

high

Tenable Plugins

critical

critical