NY.gov Portal State Agency Listing
The following cyber advisory was issued by the New York State Office of Information Technology Services and is intended for State government entities. The information may or may not be applicable to the general public and, accordingly, the State does not warrant its use for any specific purposes.

ITS ADVISORY NUMBER:
2013-092

DATE(S) ISSUED:
9/23/2013

SUBJECT:
Vulnerabilities in Apache Struts Could Allow Remote Code Execution

OVERVIEW:

Vulnerabilities have been discovered in Apache Struts which could allow remote code execution.  Apache Struts is an open source, model-view-controller (MVC) framework used for building Java web applications.  Successful exploitation could result in an attacker executing arbitrary code in the context of affected application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

SYSTEMS AFFECTED:

  • Versions 2.0.0 - 2.3.15.1

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: N/A

DESCRIPTION:
Vulnerabilities have been found in Apache Struts versions 2.0.0 - 2.3.15.1 which could allow for remote code execution.  The details of these vulnerabilities are as follows:

  • S2-018 - A broken access control vulnerability exists in the action mapping mechanism which is intended to help with attaching navigational information to buttons within forms.
  • S2-019 - A vulnerability exists because Dynamic Method Invocation within the Struts framework is enabled by default.  Apache disclosed that the Dynamic Method Invocation, which handles the activation of a process (method) within an object at runtime, is known to support multiple security risks.

Successful exploitation could result in an attacker executing arbitrary code in the context of affected application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Upgrade vulnerable Apache Struts products immediately after appropriate testing. 
  • Disable the Dynamic Method Invocation. In version 2.3.15.2, Dynamic Method Invocation is set to false by default.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Apply the principle of Least Privilege to all services.

REFERENCES:
Apache:
http://struts.apache.org/release/2.3.x/docs/s2-018.html
http://struts.apache.org/release/2.3.x/docs/s2-019.html

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4310
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4316

SecurityFocus:
http://www.securityfocus.com/bid/62587

Deborah A. Snyder

Acting Chief Information Security Officer


 

Cyber Security

GIS