专注:网络安全、系统安全、应用安全、数据库安全、运维安全,趋势分析。

安全从业者2000人超级群:187297569 沟通:1255197 技术:75140776 北京:107606822 西安:53210718 渗透:50806427 站长QQ:55984512


【紧急】Struts 2爆S2-046紧急漏洞!已出POC!

2017-03-21 10:27 推荐: 浏览: 754 views 评论 字号:

摘要: 相信大家对前几天S2-045的漏洞还记忆犹新……然而,似乎Struts 2似乎并不太想放过我们这些苦逼的网络安全、IT运维人员……今天居然又爆出了S2-046!没看错,级别依然是和S2-045一样的“Critical”! 简直让人绝望了……详情: 官方描述页...

相信大家对前几天S2-045的漏洞还记忆犹新……然而,似乎Struts 2似乎并不太想放过我们这些苦逼的网络安全、IT运维人员……今天居然又爆出了S2-046!没看错,级别依然是和S2-045一样的“Critical”!

简直让人绝望了……详情:

官方描述页面:http://struts.apache.org/docs/s2-046.html

Possible RCE when performing file upload based on Jakarta Multipart parser (similar to S2-045)

Who should read this All Struts 2 developers and users
Impact of vulnerability Possible RCE when performing file upload based on Jakarta Multipart parser
Maximum security rating Critical
Recommendation Upgrade to Struts 2.3.32 or Struts 2.5.10.1
Affected Software Struts 2.3.5 – Struts 2.3.31, Struts 2.5 – Struts 2.5.10
Reporter Chris Frohoff <cfrohoff at qualcomm dot com>, Nike Zheng <nike dot zheng at dbappsecurity dot com dot cn>, Alvaro Munoz <alvaro dot munoz at hpe dot com>
CVE Identifier CVE-2017-5638

漏洞的报告者来自三家:qualcomm(高通)、dbappsecurity(杭州安恒)、HPE(惠普企业)。

S2-046漏洞类似于S2-045,依然是远程命令执行(RCE)。

影响版本Struts 2.3.5 – Struts 2.3.31, Struts 2.5 – Struts 2.5.10。

修复建议:升级到 Struts 2.3.32 or Struts 2.5.10.1

Problem

It is possible to perform a RCE attack with a malicious Content-Disposition value or with improper Content-Length header. If the Content-Dispostion / Content-Length value is not valid an exception is thrown which is then used to display an error message to a user. This is a different vector for the same vulnerability described in S2-045 (CVE-2017-5638).

Solution

If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1.

Backward compatibility

No backward incompatibility issues are expected.

Workaround

You can switch to a different implementation of the Multipart parser. We have already prepared two plugins which can be used as a drop-in solution, please find them here. You can use them when you are running the Apache Struts 2.3.8 – 2.5.5 (in case of using the default Jakarta multipart parser) or the Apache Struts 2.3.20 – 2.5.5 (when using an alternative jakarta-stream multipart parser).

Another option is to remove the File Upload Interceptor from the stack, just define your own custom stack and set it as a default – please read How do we configure an Interceptor to be used with every Action. This will work only for Struts 2.5.8 – 2.5.10.

<interceptors>
    <interceptor-stack name=”defaultWithoutUpload”>
        <interceptor-ref name=”exception”/>
        <interceptor-ref name=”alias”/>
        <interceptor-ref name=”servletConfig”/>
        <interceptor-ref name=”i18n”/>
        <interceptor-ref name=”prepare”/>
        <interceptor-ref name=”chain”/>
        <interceptor-ref name=”scopedModelDriven”/>
        <interceptor-ref name=”modelDriven”/>
        <interceptor-ref name=”checkbox”/>
        <interceptor-ref name=”datetime”/>
        <interceptor-ref name=”multiselect”/>
        <interceptor-ref name=”staticParams”/>
        <interceptor-ref name=”actionMappingParams”/>
        <interceptor-ref name=”params”/>
        <interceptor-ref name=”conversionError”/>
        <interceptor-ref name=”validation”>
            <param name=”excludeMethods”>input,back,cancel,browse</param>
        </interceptor-ref>
        <interceptor-ref name=”workflow”>
            <param name=”excludeMethods”>input,back,cancel,browse</param>
        </interceptor-ref>
        <interceptor-ref name=”debugging”/>
    </interceptor-stack>
</interceptors>
<default-interceptor-ref name=”defaultWithoutUpload”/>

一句话:请立即升级!网上已经爆出了POC,所以,你懂的……

图 / 安全客APP

请立即升级!请立即升级!!请立即升级!!!

如果此前升级了S2-045,那么无需再次升级,S2-045的补丁已经修复了S2-046漏洞……

联系站长租广告位!

中国首席信息安全官