                                                   JPCERT-AT-2013-0033
                                                             JPCERT/CC
                                                            2013-07-19

                  <<< JPCERT/CC Alert 2013-07-19 >>>

                 Vulnerability in Apache Struts (S2-016)

          https://www.jpcert.or.jp/english/at/2013/at130033.html


I. Overview

 Apache Struts provided by the Apache Software Foundation contains a
vulnerability. Attack code leveraging this vulnerability is publicly
available and JPCERT/CC conducted a test using this code. As a result,
it has been verified that arbitrary OS commands may be executed on the
application server with the privileges of the user running Apache
Struts application. For more details on the vulnerability, please
refer to the information provided by the Apache Software Foundation.

 According to information provided by LAC Co., Ltd. the number of
attacks leveraging this vulnerability have increased significantly
against sites in Japan.


II. A Possible Attack Scenario

  A possible attack scenario is as follows:

  1. An attacker sends a specially crafted HTTP request to the 
     site targeted for the attack
  2. The vulnerability is leveraged and an arbitrary OS command 
     is executed

III. Affected Systems

  The following versions are affected by this vulnerability:

  Apache Struts versions 2.0.0 through 2.3.15


IV. Test Results from JPCERT/CC

  JPCERT/CC tested the PoC code that leverages this vulnerability

  [Test Environment]
  - Application Server
    Apache Tomcat 7.0.42
  - Java
    JDK 1.7.0_25
  - Target Application for Attack
    Sample application that is used in Apache Struts 2.3.15
    (struts2-blank.war)

  [Test Results] 
    Setup the sample application used in Apache Struts 2.3.15 within
    Apache Tomcat and send a specially crafted request to the sample
    application.  As a result, it was observed that an arbitrary OS
    command was executed.  In addition, when testing the sample
    application in Apache Struts 2.3.15.1, which addresses this
    vulnerability, arbitrary OS commands were not executed.


V. Solution

 Apache Software Foundation has released a version addressing this
vulnerability.  It is recommended to update to this latest version,
after thorough testing.
  
  - Apache 2.3.15.1

If the update cannot be applied for an extended period of time, please
check the settings of any security products being used, such as IPS,
and make sure that protection against this issue is available.


VI. References

    Apache Struts 2 Documentation
    Version Notes 2.3.15.1
    http://struts.apache.org/release/2.3.x/docs/version-notes-23151.html

    Apache Struts 2 Documentation
    S2-016
    http://struts.apache.org/release/2.3.x/docs/s2-016.html

    LAC Co., Ltd
    Increase in attacks leveraging a vulnerability in Apache Struts2 (S2-016) (Japanese)
    http://www.lac.co.jp/security/alert/2013/07/18_alert_01.html