on Jun 14, 2016Article Content
| Article Number | 000033134 | ||||||||||||||||||
| Applies To | RSA Authentication Manager 8.x | ||||||||||||||||||
| CVE ID | CVE-2016-3081, CVE-2016-0785, CVE-2016-3082 | ||||||||||||||||||
| Article Summary | Customer Support has asked whether the RSA Authentication Manager 8.x system is impacted by several vulnerabilities in Apache Struts 2 after reading the announcement of fixes for these issues by the Apache Software Foundation. S2-032 Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled.
S2-031 XSLTResult can be used to parse arbitrary stylesheet
S2-029 Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
| ||||||||||||||||||
| Link to Advisories | http://struts.apache.org/docs/s2-032.html http://struts.apache.org/docs/s2-031.html | ||||||||||||||||||
| Alert Impact | Not Applicable | ||||||||||||||||||
| Technical Details | False positive | ||||||||||||||||||
| Resolution | Information from NVD, Apache and Struts source code. CVE-2016-3081 Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. CVSS v3 Base Score: 8.1 High It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled. Response: The flaw does not exist Dynamic Method Invocation is a feature of Struts 2. AM does not use an impacted version of Struts. CVE-2016-0785 Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. CVSS v3 Base Score: 8.8 High The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. (Processing in code associated with com.opensymphony.xwork2.ognl.) Response: The flaw does not exist The forced evaluation of Struts 2 attributes and OGNL expressions %{} are a feature of Struts 2. AM does not use an impacted version of Struts. CVE-2016-3082 XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. CVSS v3 Base Score: 9.8 Critical XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code. Response: The flaw does not exist XSLTResult uses XSLT to transform an action object to XML and is a feature of Struts 2. AM does not use an impacted version of Struts. |
Disclaimer
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, EMC Corporation, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.