Vulnerabilities in Apache Struts Could Allow Remote Code Execution

ITS Advisory Number: 
2013-092
Date(s) Issued: 
Monday, September 23, 2013
Subject: 
Vulnerabilities in Apache Struts Could Allow Remote Code Execution
Overview: 

Vulnerabilities have been discovered in Apache Struts which could allow remote code execution.  Apache Struts is an open source, model-view-controller (MVC) framework used for building Java web applications.  Successful exploitation could result in an attacker executing arbitrary code in the context of affected application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Versions 2.0.0 - 2.3.15.1
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

Vulnerabilities have been found in Apache Struts versions 2.0.0 - 2.3.15.1 which could allow for remote code execution.  The details of these vulnerabilities are as follows:

Successful exploitation could result in an attacker executing arbitrary code in the context of affected application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • Upgrade vulnerable Apache Struts products immediately after appropriate testing. 
  • Disable the Dynamic Method Invocation. In version 2.3.15.2, Dynamic Method Invocation is set to false by default.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Apply the principle of Least Privilege to all services.
References: 
Apache:
http://struts.apache.org/release/2.3.x/docs/s2-018.html
http://struts.apache.org/release/2.3.x/docs/s2-019.html
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4310
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4316
SecurityFocus:
http://www.securityfocus.com/bid/62587