RSA Authentication Manager 8.x Security Vulnerabilities for Apache Struts 2 - False Positive
3 years ago
Originally Published: 2016-05-13
Article Number
000064299
Applies To

RSA Authentication Manager 8.x
 

CVE Identifier(s)
CVE-2016-3081, CVE-2016-0785, CVE-2016-3082
Article Summary

Customer Support has asked whether the RSA Authentication Manager 8.x system is impacted by several vulnerabilities in Apache Struts 2 after reading the announcement of fixes for these issues by the Apache Software Foundation.

The summarized announcements associated with the query are as follows (additional information is available at struts.apache.org):

 

 
S2-032
 
Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled.
 
Impact of vulnerabilityPossible Remote Code Execution
Affected SoftwareStruts 2.3.20 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3)
CVE IdentifierCVE-2016-3081
 
 
S2-031
 
XSLTResult can be used to parse arbitrary stylesheet
 
Impact of vulnerabilityPossible Remote Code Execution
Affected SoftwareStruts 2.0.0 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3)
CVE IdentifierCVE-2016-3082
 
 
S2-029
 
Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
 
Impact of vulnerabilityPossible Remote Code Execution vulnerability
Affected SoftwareStruts 2.0.0 - Struts 2.3.24.1 (except 2.3.20.3)
CVE IdentifierCVE-2016-0785

 
 

Link to Advisories

http://struts.apache.org/docs/s2-032.html

http://struts.apache.org/docs/s2-031.html

https://struts.apache.org/docs/s2-029.html

Alert Impact
Not Applicable
Resolution

Information from NVD, Apache and Struts source code.

CVE-2016-3081

Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

CVSS v3 Base Score: 8.1 High

It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled.

Response: The flaw does not exist

Dynamic Method Invocation is a feature of Struts 2. AM does not use an impacted version of Struts.

CVE-2016-0785

Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.

CVSS v3 Base Score: 8.8 High

The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. (Processing in code associated with com.opensymphony.xwork2.ognl.)

Response: The flaw does not exist

The forced evaluation of Struts 2 attributes and OGNL expressions %{} are a feature of Struts 2. AM does not use an impacted version of Struts.

CVE-2016-3082

XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.

CVSS v3 Base Score: 9.8 Critical

XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code.

Response: The flaw does not exist

XSLTResult uses XSLT to transform an action object to XML and is a feature of Struts 2. AM does not use an impacted version of Struts.
 

Disclaimer
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, EMC Corporation, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Related Articles

Trending Articles

Don't see what you're looking for?