Bug 1175452 – VUL-0: CVE-2019-0230: struts: possible RCE due to forced double OGNL evaluation when evaluated on raw user input in tag attributes

Bug 1175452 - (CVE-2019-0230) VUL-0: CVE-2019-0230: struts: possible RCE due to forced double OGNL evaluation when evaluated on raw user input in tag attributes

(CVE-2019-0230)
Summary:	VUL-0: CVE-2019-0230: struts: possible RCE due to forced double OGNL evaluati...

Status:	RESOLVED INVALID

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Dario Leidi
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/265610/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-08-18 14:32 UTC by Robert Frohl
Modified:	2020-08-25 09:45 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2020-08-18 14:32:58 UTC

rh#1869672

The Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE).

Reference:
https://cwiki.apache.org/confluence/display/WW/S2-059

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1869672
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0230

Comment 1 Robert Frohl 2020-08-18 14:34:20 UTC

I believe we are not affected, as we ship 1.X.

@Diego could you confirm this please?

Comment 2 Robert Frohl 2020-08-18 14:35:03 UTC

(In reply to Robert Frohl from comment #1)
> @Diego could you confirm this please?

Sorry, I meant Dario

Comment 3 Dario Leidi 2020-08-20 20:24:13 UTC

(In reply to Robert Frohl from comment #1)
> I believe we are not affected, as we ship 1.X.
> 

Hi Robert, you are absolutely right. We use and ship struts-1.2.9, and affected versions are `2.0.0 - 2.5.20`. We are luckly not affected by this CVE.

Thank you for the heads up.
Dario

Comment 4 Robert Frohl 2020-08-25 09:45:44 UTC

closing as we are not affected