Apache Struts: Zero-Day Exploit Mitigation

Number: AL14-025
Date: 24 April 2014

Purpose

The purpose of this Alert is to bring attention to a recently announced security vulnerability for Apache Struts.

Assessment

Apache Struts up to 2.3.16.1 is being reported as having a zero-day vulnerability. In particular, Struts 2.3.16.1 has an issue with ClassLoader manipulation via request parameters which was supposed to be resolved on 2 March 2014 through a security fix. Unfortunately, it was confirmed that the correction wasn't sufficient.

According to the Apache Struts Team, a security fix release fully addressing all these issues is in preparation and will be released as soon as possible. Once the release is available, all Struts 2 users are strongly encouraged to update their installations.

Suggested action

The Apache Struts Team has published the following mitigation information:

In the struts.xml, replace all custom references to params-interceptor with the following code, especially regarding the class-pattern found at the beginning of the excludeParams list:

<interceptor-ref name="params">
<param
name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
</interceptor-ref>

If you are using default interceptor stacks packaged in struts-default.xml, change your parent packages to a customized secured configuration as in the following example. Given you are using defaultStack so far, change your packages from

<package name="default" namespace="/" extends="struts-default">
<default-interceptor-ref name="defaultStack" />
...
...
</package>
to

<package name="default" namespace="/" extends="struts-default">
<interceptors>
<interceptor-stack name="secureDefaultStack">
<interceptor-ref name="defaultStack">
<param
name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
</interceptor-ref>
</interceptor-stack>
</interceptors>

   <default-interceptor-ref name="secureDefaultStack" />
...
</package>

References:

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: