Published:2017/01/20  Last Updated:2017/01/20

JVN#92395431
Java (OGNL) code execution in Apache Struts 2 when devMode is enabled

Overview

There is a known risk of arbitrary Java (OGNL) code execution in Apache Struts 2 when devMode (Development Mode) is enabled.

Products Affected

  • Apache Struts 2.3.30 and earlier
  • Apache Struts 2.5.1 and earlier
The developer confirmed this issue does not exist in Apache Struts 2.3.31 and  upper versions of Apache Struts 2.5.2.

Description

Apache Struts 2 provided by the Apache Software Foundation is a software framework for creating Java web applications.  There is a known risk that arbitrary Java (OGNL) code may be executed in Apache Struts 2 when devMode is enabled in production environment.
It is confirmed that proof-of-concept code exploiting this issue is publicly available.

Impact

An attacker who has access to Apache Struts 2 may execute arbitrary Java (OGNL) code.

Solution

Update the Software
Users of affected versions are recommended to update to the latest version.

Disable devMode
The developer has already published Apache Struts 2 documentation describing the risk when devMode is enabled in production.
Disable devMode unless it is necessary to be enabled.

Vendor Status

Vendor Status Last Update Vendor Notes
JT Engineering inc. Not Vulnerable 2017/01/20
NEC Corporation Vulnerability Information Provided 2017/01/20
NTT-CERT Not Vulnerable 2017/01/20

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score: 5.6
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score: 6.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Hiroshi Fujimoto and Ken Kitahara of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia JVNDB-2017-000012

Update History

2017/01/20
Corrected CVSSv3 and CVSSv2 Attack Vector(AV).