JVN#92395431: Java (OGNL) code execution in Apache Struts 2 when devMode is enabled

Overview

There is a known risk of arbitrary Java (OGNL) code execution in Apache Struts 2 when devMode (Development Mode) is enabled.

Products Affected

Apache Struts 2.3.30 and earlier
Apache Struts 2.5.1 and earlier

The developer confirmed this issue does not exist in Apache Struts 2.3.31 and upper versions of Apache Struts 2.5.2.

Description

Apache Struts 2 provided by the Apache Software Foundation is a software framework for creating Java web applications. There is a known risk that arbitrary Java (OGNL) code may be executed in Apache Struts 2 when devMode is enabled in production environment.
It is confirmed that proof-of-concept code exploiting this issue is publicly available.

Impact

An attacker who has access to Apache Struts 2 may execute arbitrary Java (OGNL) code.

Solution

Update the Software
Users of affected versions are recommended to update to the latest version.

Disable devMode
The developer has already published Apache Struts 2 documentation describing the risk when devMode is enabled in production.
Disable devMode unless it is necessary to be enabled.

Vendor Status

Vendor	Status	Last Update
JT Engineering inc.	Not Vulnerable	2017/01/20
NEC Corporation	Vulnerability Information Provided	2017/01/20
NTT-CERT	Not Vulnerable	2017/01/20

Vendor	Link
The Apache Software Foundation	Apache Struts
	Apache Struts 2 Documentation - Security - Disable devMode

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Base Score: 5.6

Attack Vector(AV)	Physical (P)	Local (L)	Adjacent (A)	Network (N)
Attack Complexity(AC)	High (H)	Low (L)
Privileges Required(PR)	High (H)	Low (L)	None (N)
User Interaction(UI)	Required (R)	None (N)
Scope(S)	Unchanged (U)	Changed (C)
Confidentiality Impact(C)	None (N)	Low (L)	High (H)
Integrity Impact(I)	None (N)	Low (L)	High (H)
Availability Impact(A)	None (N)	Low (L)	High (H)

CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P

Base Score: 6.8

Access Vector(AV)	Local (L)	Adjacent Network (A)	Network (N)
Access Complexity(AC)	High (H)	Medium (M)	Low (L)
Authentication(Au)	Multiple (M)	Single (S)	None (N)
Confidentiality Impact(C)	None (N)	Partial (P)	Complete (C)
Integrity Impact(I)	None (N)	Partial (P)	Complete (C)
Availability Impact(A)	None (N)	Partial (P)	Complete (C)

Credit

Hiroshi Fujimoto and Ken Kitahara of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia	JVNDB-2017-000012

Update History

2017/01/20: Corrected CVSSv3 and CVSSv2 Attack Vector(AV).

JVN#92395431 Java (OGNL) code execution in Apache Struts 2 when devMode is enabled