000033134 - RSA Authentication Manager 8.x Security Vulnerabilities for Apache Struts 2 - False Positive

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 14, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033134
Applies To

RSA Authentication Manager 8.x
 

CVE IDCVE-2016-3081, CVE-2016-0785, CVE-2016-3082
Article Summary

Customer Support has asked whether the RSA Authentication Manager 8.x system is impacted by several vulnerabilities in Apache Struts 2 after reading the announcement of fixes for these issues by the Apache Software Foundation.
The summarized announcements associated with the query are as follows (additional information is available at struts.apache.org):
 





 
S2-032
 
Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled.
 
Impact of vulnerabilityPossible Remote Code Execution
Affected SoftwareStruts 2.3.20 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3)
CVE IdentifierCVE-2016-3081

 



 
S2-031
 
XSLTResult can be used to parse arbitrary stylesheet
 
Impact of vulnerabilityPossible Remote Code Execution
Affected SoftwareStruts 2.0.0 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3)
CVE IdentifierCVE-2016-3082

 



 
S2-029
 
Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
 
Impact of vulnerabilityPossible Remote Code Execution vulnerability
Affected SoftwareStruts 2.0.0 - Struts 2.3.24.1 (except 2.3.20.3)
CVE IdentifierCVE-2016-0785

 
 

Link to Advisories

http://struts.apache.org/docs/s2-032.html


http://struts.apache.org/docs/s2-031.html


https://struts.apache.org/docs/s2-029.html

Alert ImpactNot Applicable
Technical DetailsFalse positive
Resolution

Information from NVD, Apache and Struts source code.




CVE-2016-3081


Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.


CVSS v3 Base Score: 8.1 High


It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled.


Response: The flaw does not exist


Dynamic Method Invocation is a feature of Struts 2. AM does not use an impacted version of Struts.




CVE-2016-0785


Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.


CVSS v3 Base Score: 8.8 High


The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. (Processing in code associated with com.opensymphony.xwork2.ognl.)


Response: The flaw does not exist


The forced evaluation of Struts 2 attributes and OGNL expressions %{} are a feature of Struts 2. AM does not use an impacted version of Struts.




CVE-2016-3082


XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.


CVSS v3 Base Score: 9.8 Critical


XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code.


Response: The flaw does not exist


XSLTResult uses XSLT to transform an action object to XML and is a feature of Struts 2. AM does not use an impacted version of Struts.
 

 

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, EMC Corporation, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes