Vulnerabilities > CVE-2017-9787 - Unspecified vulnerability in Apache Struts
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.
Vulnerable Configurations
Nessus
NASL family CGI abuses NASL id MYSQL_ENTERPRISE_MONITOR_3_4_3_4225.NASL description According to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.2.x prior to 3.2.9.2249, 3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225. It is, therefore, affected by multiple vulnerabilities as noted in the October 2017 Critical Patch Update advisory. Please consult the CVRF details for the applicable CVEs for additional information. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 103536 published 2017-09-28 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103536 title MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(103536); script_version("1.11"); script_cvs_date("Date: 2019/11/12"); script_cve_id("CVE-2017-5664", "CVE-2017-9787", "CVE-2017-10424"); script_bugtraq_id(98888, 99562, 101381); script_name(english:"MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)"); script_summary(english:"Checks the version of MySQL Enterprise Monitor."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host is affected by a denial of service vulnerability in apache struts 2."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.2.x prior to 3.2.9.2249, 3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225. It is, therefore, affected by multiple vulnerabilities as noted in the October 2017 Critical Patch Update advisory. Please consult the CVRF details for the applicable CVEs for additional information. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); # https://www.oracle.com/technetwork/security-advisory/cve-2017-9805-products-3905487.html#AppendixMSQL script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0d67d494"); # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6b8727c4"); script_set_attribute(attribute:"solution", value: "Upgrade to MySQL Enterprise Monitor version 3.2.9.2249 / 3.3.5.3292 / 3.4.3.4225 or later as referenced in the Oracle security advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-10424"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/24"); script_set_attribute(attribute:"patch_publication_date", value:"2017/07/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/28"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:mysql_enterprise_monitor"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mysql_enterprise_monitor_web_detect.nasl"); script_require_keys("installed_sw/MySQL Enterprise Monitor", "Settings/ParanoidReport"); script_require_ports("Services/www", 18443); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); app = "MySQL Enterprise Monitor"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:18443); install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE); version = install['version']; install_url = build_url(port:port, qs:"/"); fixes = { "^3.4": "3.4.3.4225", "^3.3": "3.3.5.3292", "^3.2": "3.2.9.2249" }; vuln = FALSE; fix = ''; foreach (prefix in keys(fixes)) { if (version =~ prefix && ver_compare(ver:version, fix:fixes[prefix], strict:FALSE) < 0) { vuln = TRUE; fix = fixes[prefix]; break; } } if (vuln) { report = '\n URL : ' + install_url + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_report_v4(port:port, severity:SECURITY_WARNING, extra:report); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);NASL family Misc. NASL id STRUTS_2_3_33.NASL description The version of Apache Struts running on the remote host is 2.3.x prior to 2.3.33. It is, therefore, affected by the following vulnerability: - A flaw exists in unspecified Spring AOP functionality that is used to secure Struts actions. An authenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-9787) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 118731 published 2018-11-05 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118731 title Apache Struts 2.3.x < 2.3.33 Denial of Service (S2-049) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(118731); script_version("1.4"); script_cvs_date("Date: 2019/11/04"); script_cve_id("CVE-2017-9787"); script_bugtraq_id(99563); script_name(english:"Apache Struts 2.3.x < 2.3.33 Denial of Service (S2-049)"); script_summary(english:"Checks the Struts 2 version."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host uses a Java framework that is affected by multiple denial of service vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Apache Struts running on the remote host is 2.3.x prior to 2.3.33. It is, therefore, affected by the following vulnerability: - A flaw exists in unspecified Spring AOP functionality that is used to secure Struts actions. An authenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-9787) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.33"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-049"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache Struts version 2.3.33 or later. Alternatively, apply the workaround referenced in the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-9787"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"agent", value:"all"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/11"); script_set_attribute(attribute:"patch_publication_date", value:"2017/07/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/05"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("os_fingerprint.nasl", "struts_detect_win.nbin", "struts_detect_nix.nbin", "struts_config_browser_detect.nbin"); script_require_keys("Settings/ParanoidReport"); script_require_ports("installed_sw/Apache Struts", "installed_sw/Struts"); exit(0); } include("vcf.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); app_info = vcf::combined_get_app_info(app:"Apache Struts"); vcf::check_granularity(app_info:app_info, sig_segments:3); constraints = [{ "min_version" : "2.3.0", "fixed_version" : "2.3.33" }]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);NASL family Misc. NASL id STRUTS_2_5_12.NASL description The version of Apache Struts running on the remote host is 2.5.x prior to 2.5.12. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists when handling a specially crafted URL in a form field when the built-in URL validator is used. An unauthenticated, remote attacker can exploit this to cause the server process to overload. Note that this issue only affects version 2.5.x. (CVE-2017-7672) - A flaw exists in unspecified Spring AOP functionality that is used to secure Struts actions. An authenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-9787) - A deserialization vulnerability in Apache Commons FileUpload which could be leveraged for remote code execution. (CVE-2016-1000031) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 101548 published 2017-07-14 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101548 title Apache Struts 2.5.x < 2.5.12 Multiple DoS (S2-047) (S2-049) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(101548); script_version("1.13"); script_cvs_date("Date: 2019/02/15 10:32:14"); script_cve_id( "CVE-2016-1000031", "CVE-2017-7672", "CVE-2017-9787" ); script_bugtraq_id( 93604, 99562, 99563 ); script_xref(name:"TRA", value:"TRA-2016-12"); script_xref(name:"IAVA", value:"2018-A-0355"); script_name(english:"Apache Struts 2.5.x < 2.5.12 Multiple DoS (S2-047) (S2-049)"); script_summary(english:"Checks the Struts 2 version."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host uses a Java framework that is affected by multiple denial of service vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Apache Struts running on the remote host is 2.5.x prior to 2.5.12. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists when handling a specially crafted URL in a form field when the built-in URL validator is used. An unauthenticated, remote attacker can exploit this to cause the server process to overload. Note that this issue only affects version 2.5.x. (CVE-2017-7672) - A flaw exists in unspecified Spring AOP functionality that is used to secure Struts actions. An authenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-9787) - A deserialization vulnerability in Apache Commons FileUpload which could be leveraged for remote code execution. (CVE-2016-1000031) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.12"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-047"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-049"); script_set_attribute(attribute:"see_also", value:"https://issues.apache.org/jira/browse/WW-4812"); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2016-12"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache Struts version 2.5.12 or later. Alternatively, apply the workaround referenced in the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1000031"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/25"); script_set_attribute(attribute:"patch_publication_date", value:"2017/07/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/14"); script_set_attribute(attribute:"agent", value:"all"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("os_fingerprint.nasl", "struts_detect_win.nbin", "struts_detect_nix.nbin", "struts_config_browser_detect.nbin"); script_require_keys("Settings/ParanoidReport"); script_require_ports("installed_sw/Apache Struts","installed_sw/Struts"); exit(0); } include("vcf.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); app_info = vcf::combined_get_app_info(app:"Apache Struts"); vcf::check_granularity(app_info:app_info, sig_segments:3); constraints = [ { "min_version" : "2.5.0", "fixed_version" : "2.5.12" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
References
- http://struts.apache.org/docs/s2-049.html
- http://www.securityfocus.com/bid/99562
- http://www.securitytracker.com/id/1039115
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
- https://security.netapp.com/advisory/ntap-20180706-0002/
- https://lists.apache.org/thread.html/de3d325f0433cd3b42258b6a302c0d7a72b69eedc1480ed561d3b065%40%3Cannouncements.struts.apache.org%3E
- https://lists.apache.org/thread.html/3795c4dd46d9ec75f4a6eb9eca11c11edd3e796c6c1fd7b17b5dc50d%40%3Cannouncements.struts.apache.org%3E