Summary
A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals
Who should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | A RCE attack is possible when developer is using wrong construction in Freemarker tags |
Maximum security rating | Moderate |
Recommendation | Upgrade to Struts 2.5.12 or Struts 2.3.34 |
Affected Software | Struts 2.0.1 - Struts 2.3.33, Struts 2.5 - Struts 2.5.10 |
Reporter | Lupin <lupin1314 at gmail dot com> - jd.com security team David Greene <david at trumpetx dot com> Roland McIntosh <struts at rgm dot nu> |
CVE Identifier | CVE-2017-12611 |
Problem
When using expression literals or forcing expression in Freemarker tags (see example below) and using request values can lead to RCE attack.
<@s.hidden name="redirectUri" value=redirectUri /><@s.hidden name="redirectUri" value="${redirectUri}" /> |
In both cases a writable property is used in the value attribute and in both cases this is threatened as an expression by Freemarker.
Solution
Do not use such constructions in your code or use read-only properties to initialise the value attribute (property with getter only). You can upgrade to Apache Struts version 2.5.12 or 2.3.34 which contain more restricted Freemarker configuration but removing vulnerable constructions is preferable.
'취약점 정보2' 카테고리의 다른 글
| Lg 모바일 9월 업데이트 내역 (0) | 2017.09.08 |
|---|---|
| 삼성 모바일 9월 업데이트 내역 (0) | 2017.09.08 |
| Chrome Releases 업데이트 안내 (0) | 2017.09.07 |
| 공유기 취약점 악용 악성코드 유포주의 (0) | 2017.09.07 |
| Apache Software Foundation Releases (0) | 2017.09.06 |
