PROBLEM:
Apache Struts ParameterInterceptor() Flaw Lets Remote Users Execute Arbitrary Commands
PLATFORM:
Struts 2.0.0 - Struts 2.3.1.1
ABSTRACT:
A remote user can execute arbitrary code on the target system.
reference LINKS:
CVE-2011-3923
SecurityTracker Alert ID: 1026575
Apache Struts 2 Documentation S2-009
blog.o0o.nu
IMPACT ASSESSMENT:
High
Discussion:
A vulnerability was reported in Apache Struts. The vulnerability allows a malicious user to bypass all the protections (regex pattern, deny method invocation) built into the ParametersInterceptor, thus being able to inject a malicious expression in any exposed string variable for further evaluation. The code will run with the privileges of the target web service.
Impact:
A remote user can execute arbitrary commands on the target system.
Solution:
Please follow recommendations outlined in S2-009 and upgrade to 2.3.1.2.