MySQL Enterprise Monitor < 2.3.14 Apache Struts Multiple Vulnerabilities

Critical Nessus Plugin ID 83292

Synopsis

A web application running on the remote host is affected by multiple vulnerabilities.

Description

According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by the multiple vulnerabilities in the bundled version of Apache Struts :

- Input validation errors exist that allows the execution of arbitrary Object-Graph Navigation Language (OGNL) expressions via specially crafted parameters to the DefaultActionMapper. (CVE-2013-2251)

- Multiple unspecified vulnerabilities exist related to dynamic method invocation being enabled by default.
(CVE-2013-4316)

Solution

Upgrade to MySQL Enterprise Monitor 2.3.14 or later.

See Also

http://www.nessus.org/u?17c46362

http://www.nessus.org/u?ac29c174

https://struts.apache.org/docs/s2-016.html

https://struts.apache.org/docs/s2-019.html

Plugin Details

Severity: Critical

ID: 83292

File Name: mysql_enterprise_monitor_2_3_14.nasl

Version: 1.8

Type: remote

Family: CGI abuses

Published: 2015/05/08

Updated: 2019/11/22

Dependencies: 46815

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:mysql:enterprise_monitor, cpe:/a:apache:struts

Required KB Items: installed_sw/MySQL Enterprise Monitor

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2013/09/09

Vulnerability Publication Date: 2013/07/16

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution)

Elliot (Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux)

Reference Information

CVE: CVE-2013-2251, CVE-2013-4316

BID: 61189, 62587

EDB-ID: 27135