Bug 1179775 - (CVE-2020-17530) VUL-0: CVE-2020-17530: struts: Potential RCE when using forced evaluation
(CVE-2020-17530)
VUL-0: CVE-2020-17530: struts: Potential RCE when using forced evaluation
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/272815/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-12-08 16:16 UTC by Wolfgang Frisch
Modified: 2020-12-08 16:22 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-12-08 16:16:31 UTC
via oss-security:
------------------------------------------------------------------------------
Apache Struts 2: CVE-2020-17530: Potential RCE when using forced evaluation


From: Lukasz Lenart 
Date: Tue, 8 Dec 2020 07:55:04 +0100


Forced OGNL evaluation, when evaluated on raw user input in tag
attributes, may lead to remote code execution.

Problem
Some of the tag's attributes could perform a double evaluation if a
developer applied forced OGNL evaluation by using the %{...} syntax.
Using forced OGNL evaluation on untrusted user input can lead to a
Remote Code Execution and security degradation.

Solution
Avoid using forced OGNL evaluation on untrusted user input, and/or
upgrade to Struts 2.5.26 which checks if expression evaluation won't
lead to the double evaluation.

Please read our Security Bulletin for more details:
https://cwiki.apache.org/confluence/display/WW/S2-061

This vulnerability was identified by:
- Alvaro Munoz - pwntester at github dot com
- Masato Anzai of Aeye Security Lab, inc.

All developers are strongly advised to perform this action.


Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
------------------------------------------------------------------------------

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17530
http://seclists.org/oss-sec/2020/q4/191
https://cwiki.apache.org/confluence/display/WW/S2-061
Comment 1 Wolfgang Frisch 2020-12-08 16:22:09 UTC
SUSE:SLE-15-SP1:Update:Products:Manager40:Update  Not affected [1]
SUSE:SLE-15-SP2:Update:Products:Manager41:Update  Not affected [1]

[1] does not support OGNL