JPCERT-AT-2016-0027 JPCERT/CC 2016-06-20(Initial) 2016-06-21(Update) <<< JPCERT/CC Alert 2016-06-20 >>> Vulnerability in Apache Struts 2 (S2-037) https://www.jpcert.or.jp/english/at/2016/at160027.html I. Overview Apache Struts 2 provided by the Apache Software Foundation contains a vulnerability (S2-037/CVE-2016-4438). When using REST Plugin*1, a remote attacker sending a specially crafted HTTP request leveraging the vulnerability may execute arbitrary code on the server that runs an application using Apache Struts 2 (Struts application). For more details on the vulnerability, please refer to the information provided by the Apache Software Foundation. *1 A plugin for implementation of REST services in Struts application REST Plugin https://struts.apache.org/docs/rest-plugin.html Proof-of-Concept (PoC) code for this vulnerability has been already made public, and JPCERT/CC's test of this code confimed that arbitrary code was executed with the execution privilege of the application server which runs the Struts application. Apache Software Foundation has provided versions of the software that address the vulnerability. For those using an affected version of the software, it is strongly recommended to quickly resolve the issue based on information provided in "V. Solution". II. A Possible Attack Scenario Sending a specially crafted HTTP request leveraging the vulnerability to a Struts application with REST Plugin may result in arbitrary code execution on the server which runs the Struts application. III. Affected Systems The following versions are affected by this vulnerability: - Apache Struts versions 2.3.20 through 2.3.28.1 IV. Test Results from JPCERT/CC JPCERT/CC tested the PoC code that leverages this vulnerability. [Test content] - Deploy a sample application that uses Apache Struts 2 on Apache Tomcat. We examined if arbitrary code is executed by sending a specially crafted HTTP request using the proof-of-concept code. [Test Environment] - Application Server - CentOS 6.6 - Apache Tomcat 8.0.30 - Java 1.8.0_91 - Sample application that uses Apache Struts 2 [Test Results] - Apache Struts 2.3.28.1 | affected | - Apache Struts 2.3.29 | not affected | V. Solution Apache Software Foundation has released a version addressing this vulnerability. It is recommended to update to this latest version after thorough testing. - Apache Struts 2.3.29 VII. References Apache Struts 2 Documentation S2-037: Remote Code Execution can be performed when using REST Plugin. https://struts.apache.org/docs/s2-037.html Apache Struts 2 Documentation Version Notes 2.3.29 https://struts.apache.org/docs/version-notes-2329.html Apache Struts 2 Documentation REST Plugin https://struts.apache.org/docs/rest-plugin.html ** Update: June 21, 2016 Update *************************************** JVN#07710476 Code execution vulnerability in Apache Struts 2 (Japanese) https://jvn.jp/jp/JVN07710476/ Information-technology Promotion Agency A countermeasure for code execution vulnerability in Apache Struts 2(JVN#07710476) (Japanese) https://www.ipa.go.jp/security/ciadr/vul/20160620-jvn.html ********************************************************************** If you have any information regarding this alert, please contact JPCERT/CC. ________ Revision History 2016-06-20 First edition 2016-06-21 Updated "VII. References" ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/