Apache Struts 2 / XWork Remote Code Execution (safe check)

critical Nessus Plugin ID 47900

Synopsis

A remote web application uses a framework that is affected by a code execution vulnerability.

Description

The remote web application appears to use Struts 2, a web framework that uses XWork. Due to a vulnerability in XWork, it is possible to disable settings designed to prevent remote code execution.

A remote attacker can exploit this by submitting an HTTP request containing specially crafted OGNL statements, resulting in the execution of arbitrary Java.

Note that versions of Apache Archiva includes Struts and may be affected.

Solution

Upgrade to Struts 2.2.1 or later.

Alternatively, upgrade to Archiva 1.3.6 or later if using that product.

See Also

http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html

http://struts.apache.org/docs/s2-005.html

http://archiva.apache.org/docs/1.3.6/release-notes.html

Plugin Details

Severity: Critical

ID: 47900

File Name: struts_xwork_ognl_code_execution_safe.nasl

Version: 1.34

Type: remote

Family: CGI abuses

Published: 7/29/2010

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Nvd scores this vulnerability with a score of 5.0 but the tenable research team disagrees with their finding and set it to a 10.0 instead.

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2010-1870

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:struts

Required KB Items: Settings/ParanoidReport

Exploit Ease: No exploit is required

Patch Publication Date: 8/16/2010

Vulnerability Publication Date: 7/9/2010

Exploitable With

CANVAS (White_Phosphorus)

Core Impact

Metasploit (Apache Struts Remote Command Execution)

Elliot (Apache-Struts < 2.2.0 RCE Linux)

Reference Information

CVE: CVE-2010-1870

BID: 41592

SECUNIA: 40558, 40575