-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2013-0064


Title: Apache Struts Security Update [3]

Version history:
09.08.2013 Initial publication

Summary
=======
A couple of vulnerabilities have that have been detected in Struts framework allow arbitrary code execution and open redirections. It is important to update the struts versions because we were informed that these vulnerabilities are being exploited in the wild.

CVE numbers: CVE2013-2251
CVSS v2 Base Score:9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) [1]

CVE numbers: CVE2013-2248
CVSS v2 Base Score:5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) [2]

Vulnerable systems
==================
Struts 2.0.0 - Struts 2.3.15 

Original Details
================
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code. (CVE2013-2251)

The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with "redirect:" or "redirectAction:", followed by a desired redirect target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.1 the information following "redirect:" or "redirectAction:" can easily be manipulated to redirect to an arbitrary location.(CVE2013-2248)

What can you do?
================
Developers should immediately upgrade to Struts 2.3.15.1 [4]

What to tell your users?
========================
N/A

More information
================
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2251
[2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2248
[3] http://struts.apache.org/development/2.x/docs/s2-017.html and s2-016.html
[4] http://struts.apache.org/download.cgi#struts2315


Best regards,

CERT-EU Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
Privacy Statement:
http://cert.europa.eu/cert/plainedition/en/cert_privacy.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJSBLglAAoJEPpzpNLI8SVoRQ8P/1eP6JF18/bJqA7ZIwt2yyBk
e5zWONEi7vHr3jJqSQ47wjoWD0Mphtw2+bJbIFxT+5ZN5zay8P3eFK47+CJO9Y/M
hWf8KHlhtUc1P9QwIFvwJLgROuKP7UqTtFlrFNH1AWag6ix+X45afaLWsjBhrZy7
Je65xpCWl30SrMCglUHBSJtGz2DYyMHW3YLUiKDEEA8VhiW/A6CXLA9Jt3A+m+yu
HoCFLFKZsumiKU5icID0wopuYXO605WQOph/Jb84MTpoiIC0fc4TVqBME3LScbXa
KI4osb3cQvWIWkd7kfT0hpvKznbA+I2+kbIeRyaPEH6HeevkqHkb0i289SzzjjQW
ob1mBGuOg6NrAaE+ngg1G4W70PyOSicaaN2kQxXW0afRIKt3ih/xCOjCWziXPfWB
enZDfS7lo3AtqDoPGOFDfx6EsgsRqL9+zpXN6+N2H0lsTzFObuHFTiIAZOlRPSHu
FxHJsewaJUd5uFJbPaxU4A/vv9MkKkqcg1HbdzDMQDb8hO3TPNg+r7BWfd7V9Qbj
/YpevVvBIOuEFoy8REjq1UprOqNDAdiGWR9ZmPmy2wntMtnOCzFLaIhCXK/wxn7/
JzMgjat65GUTJntT5ZexKqsjjEwng5i5tX4w8g2ZsII5k7m47cB7MVF4vARVuUB+
GTJ96x1EDIDuFfbK7U4o
=h0n0
-----END PGP SIGNATURE-----