Vulnerabilities > CVE-2017-9787 - Unspecified vulnerability in Apache Struts

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
apache
nessus

Summary

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.

Nessus

  • NASL familyCGI abuses
    NASL idMYSQL_ENTERPRISE_MONITOR_3_4_3_4225.NASL
    descriptionAccording to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.2.x prior to 3.2.9.2249, 3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225. It is, therefore, affected by multiple vulnerabilities as noted in the October 2017 Critical Patch Update advisory. Please consult the CVRF details for the applicable CVEs for additional information. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id103536
    published2017-09-28
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103536
    titleMySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(103536);
      script_version("1.11");
      script_cvs_date("Date: 2019/11/12");
    
      script_cve_id("CVE-2017-5664", "CVE-2017-9787", "CVE-2017-10424");
      script_bugtraq_id(98888, 99562, 101381);
    
      script_name(english:"MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)");
      script_summary(english:"Checks the version of MySQL Enterprise Monitor.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A web application running on the remote host is affected by a denial
    of service vulnerability in apache struts 2.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, the MySQL Enterprise Monitor
    application running on the remote host is 3.2.x prior to 3.2.9.2249,
    3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225.
    It is, therefore, affected by multiple vulnerabilities as
    noted in the October 2017 Critical Patch Update advisory. Please
    consult the CVRF details for the applicable CVEs for additional
    information.
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      # https://www.oracle.com/technetwork/security-advisory/cve-2017-9805-products-3905487.html#AppendixMSQL
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0d67d494");
      # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6b8727c4");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to MySQL Enterprise Monitor version 3.2.9.2249 / 3.3.5.3292 / 
    3.4.3.4225 or later as referenced in the Oracle security advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-10424");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/28");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:mysql_enterprise_monitor");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("mysql_enterprise_monitor_web_detect.nasl");
      script_require_keys("installed_sw/MySQL Enterprise Monitor", "Settings/ParanoidReport");
      script_require_ports("Services/www", 18443);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("install_func.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    app  = "MySQL Enterprise Monitor";
    get_install_count(app_name:app, exit_if_zero:TRUE);
    
    port = get_http_port(default:18443);
    install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE);
    version = install['version'];
    install_url = build_url(port:port, qs:"/");
    
    fixes = { 
              "^3.4": "3.4.3.4225",
              "^3.3": "3.3.5.3292",
              "^3.2": "3.2.9.2249"
            };
    
    vuln = FALSE;
    fix = '';
    foreach (prefix in keys(fixes))
    {
      if (version =~ prefix && ver_compare(ver:version,
                                           fix:fixes[prefix],
                                           strict:FALSE) < 0)
      {
        vuln = TRUE;
        fix = fixes[prefix];
        break;
      }
    }
    
    if (vuln)
    {
      report =
        '\n  URL               : ' + install_url +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fix +
        '\n';
      security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);
    }
    else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);
    
  • NASL familyMisc.
    NASL idSTRUTS_2_3_33.NASL
    descriptionThe version of Apache Struts running on the remote host is 2.3.x prior to 2.3.33. It is, therefore, affected by the following vulnerability: - A flaw exists in unspecified Spring AOP functionality that is used to secure Struts actions. An authenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-9787) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id118731
    published2018-11-05
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118731
    titleApache Struts 2.3.x < 2.3.33 Denial of Service (S2-049)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118731);
      script_version("1.4");
      script_cvs_date("Date: 2019/11/04");
    
      script_cve_id("CVE-2017-9787");
      script_bugtraq_id(99563);
    
      script_name(english:"Apache Struts 2.3.x < 2.3.33 Denial of Service (S2-049)");
      script_summary(english:"Checks the Struts 2 version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A web application running on the remote host uses a Java framework
    that is affected by multiple denial of service vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Apache Struts running on the remote host is 2.3.x prior
    to 2.3.33. It is, therefore, affected by the following vulnerability:
    
      - A flaw exists in unspecified Spring AOP functionality
        that is used to secure Struts actions. An authenticated,
        remote attacker can exploit this to cause a denial of
        service condition. (CVE-2017-9787)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.33");
      script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-049");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Apache Struts version 2.3.33 or later.
    Alternatively, apply the workaround referenced in the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-9787");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"agent", value:"all");
    
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/05");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("os_fingerprint.nasl", "struts_detect_win.nbin", "struts_detect_nix.nbin", "struts_config_browser_detect.nbin");
      script_require_keys("Settings/ParanoidReport");
      script_require_ports("installed_sw/Apache Struts", "installed_sw/Struts");
    
      exit(0);
    }
    
    include("vcf.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    
    app_info = vcf::combined_get_app_info(app:"Apache Struts");
    
    vcf::check_granularity(app_info:app_info, sig_segments:3);
    
    constraints = [{ "min_version" : "2.3.0", "fixed_version" : "2.3.33" }];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
  • NASL familyMisc.
    NASL idSTRUTS_2_5_12.NASL
    descriptionThe version of Apache Struts running on the remote host is 2.5.x prior to 2.5.12. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists when handling a specially crafted URL in a form field when the built-in URL validator is used. An unauthenticated, remote attacker can exploit this to cause the server process to overload. Note that this issue only affects version 2.5.x. (CVE-2017-7672) - A flaw exists in unspecified Spring AOP functionality that is used to secure Struts actions. An authenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-9787) - A deserialization vulnerability in Apache Commons FileUpload which could be leveraged for remote code execution. (CVE-2016-1000031) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id101548
    published2017-07-14
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101548
    titleApache Struts 2.5.x < 2.5.12 Multiple DoS (S2-047) (S2-049)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101548);
      script_version("1.13");
      script_cvs_date("Date: 2019/02/15 10:32:14");
    
      script_cve_id(
        "CVE-2016-1000031",
        "CVE-2017-7672",
        "CVE-2017-9787"
      );
      script_bugtraq_id(
        93604,
        99562,
        99563
      );
      script_xref(name:"TRA", value:"TRA-2016-12");
      script_xref(name:"IAVA", value:"2018-A-0355");
    
      script_name(english:"Apache Struts 2.5.x < 2.5.12 Multiple DoS (S2-047) (S2-049)");
      script_summary(english:"Checks the Struts 2 version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A web application running on the remote host uses a Java framework
    that is affected by multiple denial of service vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Apache Struts running on the remote host is 2.5.x 
    prior to 2.5.12. It is, therefore, affected by multiple 
    vulnerabilities :
    
      - A denial of service vulnerability exists when handling
        a specially crafted URL in a form field when the
        built-in URL validator is used. An unauthenticated,
        remote attacker can exploit this to cause the server
        process to overload. Note that this issue only affects
        version 2.5.x. (CVE-2017-7672)
    
      - A flaw exists in unspecified Spring AOP functionality
        that is used to secure Struts actions. An authenticated,
        remote attacker can exploit this to cause a denial of
        service condition. (CVE-2017-9787)
    
      - A deserialization vulnerability in Apache Commons 
        FileUpload which could be leveraged for remote
        code execution. (CVE-2016-1000031)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.12");
      script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-047");
      script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-049");
      script_set_attribute(attribute:"see_also", value:"https://issues.apache.org/jira/browse/WW-4812");
      script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2016-12");  
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Apache Struts version 2.5.12 or later.
    Alternatively, apply the workaround referenced in the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1000031");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/25");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/14");
    
      script_set_attribute(attribute:"agent", value:"all");
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts");
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("os_fingerprint.nasl", "struts_detect_win.nbin", "struts_detect_nix.nbin", "struts_config_browser_detect.nbin");
      script_require_keys("Settings/ParanoidReport");
      script_require_ports("installed_sw/Apache Struts","installed_sw/Struts");
    
      exit(0);
    }
    
    include("vcf.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    
    app_info = vcf::combined_get_app_info(app:"Apache Struts");
    
    vcf::check_granularity(app_info:app_info, sig_segments:3);
    
    constraints = [
      { "min_version" : "2.5.0", "fixed_version" : "2.5.12" }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);