-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0064 Title: Apache Struts Security Update [3] Version history: 09.08.2013 Initial publication Summary ======= A couple of vulnerabilities have that have been detected in Struts framework allow arbitrary code execution and open redirections. It is important to update the struts versions because we were informed that these vulnerabilities are being exploited in the wild. CVE numbers: CVE2013-2251 CVSS v2 Base Score:9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) [1] CVE numbers: CVE2013-2248 CVSS v2 Base Score:5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) [2] Vulnerable systems ================== Struts 2.0.0 - Struts 2.3.15 Original Details ================ The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code. (CVE2013-2251) The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with "redirect:" or "redirectAction:", followed by a desired redirect target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. In Struts 2 before 2.3.15.1 the information following "redirect:" or "redirectAction:" can easily be manipulated to redirect to an arbitrary location.(CVE2013-2248) What can you do? ================ Developers should immediately upgrade to Struts 2.3.15.1 [4] What to tell your users? ======================== N/A More information ================ [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2251 [2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2248 [3] http://struts.apache.org/development/2.x/docs/s2-017.html and s2-016.html [4] http://struts.apache.org/download.cgi#struts2315 Best regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJSBLglAAoJEPpzpNLI8SVoRQ8P/1eP6JF18/bJqA7ZIwt2yyBk e5zWONEi7vHr3jJqSQ47wjoWD0Mphtw2+bJbIFxT+5ZN5zay8P3eFK47+CJO9Y/M hWf8KHlhtUc1P9QwIFvwJLgROuKP7UqTtFlrFNH1AWag6ix+X45afaLWsjBhrZy7 Je65xpCWl30SrMCglUHBSJtGz2DYyMHW3YLUiKDEEA8VhiW/A6CXLA9Jt3A+m+yu HoCFLFKZsumiKU5icID0wopuYXO605WQOph/Jb84MTpoiIC0fc4TVqBME3LScbXa KI4osb3cQvWIWkd7kfT0hpvKznbA+I2+kbIeRyaPEH6HeevkqHkb0i289SzzjjQW ob1mBGuOg6NrAaE+ngg1G4W70PyOSicaaN2kQxXW0afRIKt3ih/xCOjCWziXPfWB enZDfS7lo3AtqDoPGOFDfx6EsgsRqL9+zpXN6+N2H0lsTzFObuHFTiIAZOlRPSHu FxHJsewaJUd5uFJbPaxU4A/vv9MkKkqcg1HbdzDMQDb8hO3TPNg+r7BWfd7V9Qbj /YpevVvBIOuEFoy8REjq1UprOqNDAdiGWR9ZmPmy2wntMtnOCzFLaIhCXK/wxn7/ JzMgjat65GUTJntT5ZexKqsjjEwng5i5tX4w8g2ZsII5k7m47cB7MVF4vARVuUB+ GTJ96x1EDIDuFfbK7U4o =h0n0 -----END PGP SIGNATURE-----