Bug 985797 (CVE-2016-4438) - VUL-0: CVE-2016-4438: struts: Possible RCE via REST plugin
Summary: VUL-0: CVE-2016-4438: struts: Possible RCE via REST plugin
Status: RESOLVED INVALID
Alias: CVE-2016-4438
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Major
Target Milestone: ---
Assignee: Tomáš Chvátal
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/170359/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-21 06:52 UTC by Marcus Meissner
Modified: 2016-06-21 06:52 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-21 06:52:23 UTC 
https://struts.apache.org/docs/s2-037.html

Remote Code Execution can be performed when using REST Plugin.

Who should read this
	

All Struts 2 developers and users

Impact of vulnerability
	

Possible Remote Code Execution

Maximum security rating
	

High

Recommendation
	

Upgrade to Struts 2.3.29.

Affected Software
	

Struts 2.3.20 - Struts Struts 2.3.28.1

Reporter
	

Chao Jack PKAV_香草 jc1990999 at yahoo dot com

Shinsaku Nomura nomura at bitforest dot jp

CVE Identifier
	

CVE-2016-4438
Problem

It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when using the REST Plugin.
Solution

Upgrade to Apache Struts version 2.3.29.
Backward compatibility

Some backward incompatibility issues are expected when upgrading to Struts 2.3.29 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assigments.
Comment 1 Marcus Meissner 2016-06-21 06:52:49 UTC 
this only affects struts 2, not our struts 1 packages.