Apache Struts 2.x < 2.3.29 Multiple Vulnerabilities

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote Windows host contains a web application that uses a Java
framework that is affected by multiple vulnerabilities.

Description :

The version of Apache Struts running on the remote Windows host is 2.x
prior to 2.3.29. It is, therefore, affected by the following
vulnerabilities :

- A remote code execution vulnerability exists due to
erroneously performing double OGNL evaluation of
attribute values assigned to certain tags. An
unauthenticated, remote attacker can exploit this, via a
specially crafted request, to execute arbitrary code.
(CVE-2016-0785)

- A cross-site request forgery (XSRF) vulnerability exists
due to improper validation of session tokens. An
unauthenticated, remote attacker can exploit this, via a
malicious OGNL expression, to bypass token validation
and perform an XSRF attack. (CVE-2016-4430)

- Multiple input validation issues exists that allow
internal security mechanisms to be bypassed, allowing
the manipulation of a return string which can be used to
redirect users to a malicious website. This affects both
the default action method the 'getter' action method.
(CVE-2016-4431, CVE-2016-4433)

- An unspecified flaw exists that is triggered during the
cleanup of action names. An unauthenticated, remote
attacker can exploit this, via a specially crafted
payload, to perform unspecified actions. (CVE-2016-4436)

- A remote code execution vulnerability exists in the REST
plugin due to improper handling of OGNL expressions. An
unauthenticated, remote attacker can exploit this, via
a specially crafted OGNL expression, to execute
arbitrary code. (CVE-2016-4438)

- A denial of service vulnerability exists in URLValidator
due to improper handling of form fields. An
unauthenticated, remote attacker can exploit this, via a
crafted URL, to overload the server when performing
validation on the URL. (CVE-2016-4465)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

https://struts.apache.org/docs/s2-035.html
https://struts.apache.org/docs/s2-036.html
https://struts.apache.org/docs/s2-037.html
https://struts.apache.org/docs/s2-038.html
https://struts.apache.org/docs/s2-039.html
https://struts.apache.org/docs/s2-040.html
https://struts.apache.org/docs/s2-041.html
http://struts.apache.org/docs/version-notes-2329.html

Solution :

Upgrade to Apache Struts version 2.3.29 or later. Alternatively,
apply the workarounds referenced in the vendor advisory.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now