Bug 967656 - (CVE-2013-1966, CVE-2013-2115) CVE-2013-1966 struts2: remote command execution due to flaw in the includeParams attribute of URL and Anchor tags
CVE-2013-1966 struts2: remote command execution due to flaw in the includePar...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,public=20130522,repor...
: Security
Depends On:
Blocks: 967657
  Show dependency treegraph
 
Reported: 2013-05-27 16:11 EDT by Vincent Danen
Modified: 2015-08-19 05:21 EDT (History)
4 users (show)

See Also:
Fixed In Version: Struts 2.3.14.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-27 21:57:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-05-27 16:11:51 EDT
As per the upstream report:

Both the s:url and s:a tag provide an includeParams attribute.

The main scope of that attribute is to understand whether includes http request parameter or not.

The allowed values of includeParams are:

1. none - include no parameters in the URL (default)
2. get - include only GET parameters in the URL
3. all - include both GET and POST parameters in the URL

A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack, afterward used as request parameter of an URL or A tag , which will cause a further evaluation.

The second evaluation happens when the URL/A tag tries to resolve every parameters present in the original request.
This lets malicious users put arbitrary OGNL statements into any request parameter (not necessarily managed by the code) and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.


This flaw is reported to affect Struts 2.0.0 through to Struts 2.3.14.  It is corrected in 2.3.14.1.

External References:

https://cwiki.apache.org/confluence/display/WW/S2-013
Comment 1 Vincent Danen 2013-05-27 16:15:27 EDT
Note that Struts 2.3.14.2 was released due to an incomplete/incorrect fix for CVE-2013-1966 in version 2.3.14.1.  A new CVE was assigned for this incomplete fix (CVE-2013-2115) but would only affect version 2.3.14.1 or any other supplied version of Struts with the incorrect patch.

This issue is fully corrected in 2.3.14.2 as per:

https://cwiki.apache.org/confluence/display/WW/S2-014
Comment 2 Arun Babu Neelicattu 2013-05-27 21:57:39 EDT
Statement:

Not Vulnerable. This issue only affects struts 2, it does not affect the
versions of struts as shipped with various Red Hat products.
Comment 3 Mark J. Cox (Product Security) 2013-11-28 03:47:59 EST
had this affected Red Hat products it would have done so with impact=critical.

Note You need to log in before you can comment on or make changes to this bug.