981818 – (CVE-2016-3081) VUL-0: CVE-2016-3081: struts: Apache Struts Dynamic Method Invocation Bug Lets Remote Users Execute Arbitrary Code on the Target System

Bug 981818 (CVE-2016-3081) - VUL-0: CVE-2016-3081: struts: Apache Struts Dynamic Method Invocation Bug Lets Remote Users Execute Arbitrary Code on the Target System

Summary: VUL-0: CVE-2016-3081: struts: Apache Struts Dynamic Method Invocation Bug Let...

Status:	RESOLVED INVALID

Alias:	CVE-2016-3081

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All All

Priority:	P2 - High Severity: Major
Target Milestone:	unspecified
Assignee:	Tomáš Chvátal
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-05-26 12:05 UTC by Mikhail Kasimov
Modified:	2016-10-28 12:33 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Community User
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mikhail Kasimov 2016-05-26 12:05:29 UTC

Hello!

Please, check (open)SUSE Apache2 Struts2 module for CVE-2016-3081 vulnerability --  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3081 , if it's being in use.

If not affected, please, close this report.

Comment 1 Andreas Stieger 2016-05-26 16:41:46 UTC

Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

http://www.securitytracker.com/id/1035665

Date:  Apr 22 2016
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Apache Struts. A remote user can execute arbitrary code on the target system.

A remote user can supply a specially crafted expression containing a 'method:' prefix to a target server that has enabled Dynamic Method Invocation to execute arbitrary code on the target system.

Nike Zheng at dbappsecurity.com.cn reported this vulnerability.
Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fix (2.3.20.2, 2.3.24.2, 2.3.28.1).

The vendor's advisory is available at:

https://struts.apache.org/docs/s2-032.html
Vendor URL:  struts.apache.org/docs/s2-032.html (Links to External Site)
Cause:   Input validation error



https://struts.apache.org/docs/s2-032.html

It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled.

Disable Dynamic Method Invocation when possible or upgrade to Apache Struts versions 2.3.20.3, 2.3.24.3 or 2.3.28.1.

Workaround: Disable Dynamic Method Invocation or implement your own version of ActionMapper based on a source code of the recommended Apache Struts versions.

Comment 2 Swamp Workflow Management 2016-05-26 22:00:14 UTC

bugbot adjusting priority

Comment 5 Andreas Stieger 2016-05-30 08:18:39 UTC

https://github.com/apache/struts/compare/STRUTS_2_3_20_1...STRUTS_2_3_20_2
https://github.com/apache/struts/compare/STRUTS_2_3_24_1...STRUTS_2_3_24_2
https://github.com/apache/struts/compare/STRUTS_2_3_28...STRUTS_2_3_28_1

For on struts 1, not affecting SLE.
Not in a maintained openSUSE release.

Comment 6 Forgotten User 6N3-_N_lRq 2016-10-27 21:34:48 UTC

How do I determine my server has struts. And if does, how to know the version.

Thank You

Comment 7 Andreas Stieger 2016-10-28 12:33:54 UTC

(In reply to Dhivya Gurusamy from comment #6)
> How do I determine my server has struts. And if does, how to know the
> version.

rpm -q struts