Recently, patches have fixed a vulnerability that could allow attackers to execute remote code. Apparently this is not a fix, similar to the fact that black hats greet the red carpet with a footrest: - /
http://struts.apache.org/release/2.3.x/docs/s2-016.html
This basically allows you to execute the attack command as follows:
Action action: http://host/struts2-showcase/employee/save.action?redirect:%25{3*4} Operated action: http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
Although I know that the update should be completed as soon as possible, it will mean as soon as possible from the moment when our code base uses old versions of locations and plugins.
This will require some refactoring to update the struts 2 libraries, then they should be tested, etc.
My question is, does anyone have an idea to stop this vulnerability from being executed? It will only be until we can upgrade.
I was wondering if it is possible to write an interceptor to sanitize a URL before evaluating it against OGNL, and if that mitigates this problem?
Another idea I had was to somehow use the Java Security Manager to stop arbitrary process calls, is this possible? Will this fix the time hole?
The server used is jBoss if someone finds it relevant.
source share