ID

VAR-201008-0298

CVE

CVE-2010-1870

TITLE

Apache Struts of XWork Vulnerabilities that bypass object protection mechanisms

DESCRIPTION

The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504. Used for multiple products Apache Struts of XWork In OGNL For the expression evaluation of "#" ParameterInterceptors A vulnerability exists that bypasses the protection mechanism. XWork is prone to a security-bypass vulnerability because it fails to adequately handle user-supplied input. Attackers can exploit this issue to manipulate server-side context objects with the privileges of the user running the application. Successful exploits can compromise the application and possibly the underlying computer. This issue is related to the vulnerability documented in BID 32101 (XWork 'ParameterInterceptor' Class OGNL Security Bypass Vulnerability); the implemented solution appears to have been incomplete. The component uses the ParameterInterceptors directive to parse the Object-Graph Navigation Language (OGNL) expressions that are implemented via a whitelist feature. An attacker could exploit this vulnerability by sending crafted requests that contain OGNL expressions to an affected system. An exploit could allow the attacker to execute arbitrary code on the targeted system. Cisco has released free software updates that address this vulnerability for all the affected products except Cisco Business Edition 3000 Series. Customers using Cisco Business Edition 3000 Series should contact their Cisco representative for available options. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. ---------------------------------------------------------------------- Passionate about writing secure code? http://secunia.com/company/jobs/open_positions/talented_programmer Read this if your favourite tool is a disassembler http://secunia.com/company/jobs/open_positions/reverse_engineer ---------------------------------------------------------------------- TITLE: XWork "ParameterInterceptor" Security Bypass Vulnerability SECUNIA ADVISORY ID: SA40558 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40558/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40558 RELEASE DATE: 2010-07-13 DISCUSS ADVISORY: http://secunia.com/advisories/40558/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40558/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40558 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in XWork, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to the "ParameterInterceptor" class improperly restricting access to server-side objects. This can be exploited to modify server-side objects and e.g. This is related to: SA32495 SOLUTION: Filter malicious characters and character sequences using a proxy. PROVIDED AND/OR DISCOVERED BY: Meder Kydyraliev, Google Security Team ORIGINAL ADVISORY: http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2011-0005 Synopsis: VMware vCenter Orchestrator remote code execution vulnerability Issue date: 2011-03-14 Updated on: 2011-03-14 (initial release of advisory) CVE numbers: CVE-2010-1870 - ------------------------------------------------------------------------ 1. Summary A vulnerability in VMware vCenter Orchestrator(vCO) could allow remote execution. 2. Relevant releases VMware vCenter Orchestrator 4.1 VMware vCenter Orchestrator 4.0 3. Problem Description VMware vCenter Orchestrator is an application to automate management tasks. It embeds Apache Struts (version 2.0.11) which is a third party component. The following vulnerability has been reported in Apache Struts 2.0.11 or earlier. A remote execution of code vulnerability could allow malicious users to bypass the '#'-usage protection built into the ParametersInterceptor, which could allow server side context objects to be manipulated. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1870 to this vulnerability. VMware would like to thank the Vulnerability Research Team of Digital Defense, Inc. for reporting this issue to us. Apache Struts version 2.0.11 and earlier also contain vulnerabilities which have not been assigned CVE names. This advisory also addresses these vulnerabilities described at the following URLs: * http://struts.apache.org/2.2.1/docs/s2-002.html * http://struts.apache.org/2.2.1/docs/s2-003.html * http://struts.apache.org/2.2.1/docs/s2-004.html Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCO 4.1 Windows vCO fix for Apache Struts * vCO 4.0 Windows vCO fix for Apache Struts * * Refer to VMware Knowledge Base article 1034175 for a workaround. 4. Solution Vmware vCenter Orchestrator --------------------------- vCenter Orchestrator workaround for Apache Struts http://kb.vmware.com/kb/1034175 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1870 - ------------------------------------------------------------------------ 6. Change log 2011-03-14 VMSA-2011-0005 Initial security advisory in conjunction with the release of an Apache Struts workaround for VMware vCenter Orchestrator on 2011-03-14. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2011 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFNfoXpS2KysvBH1xkRAiuiAJ9nyIgRIEiD4kYI7ZODRu/m0iJOQgCeIbKD J0gV3DRUWD3NMkMKC/ysvZE= =8K7w -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . For more information: SA40558 SOLUTION: Update to FishEye 2.3.3 and Crucible 2.3.3 or apply patches. For more information: SA40558 SOLUTION: Fixed in the SVN repository. Document Title: =============== LISTSERV Maestro Remote Code Execution Vulnerability References (Source): ==================== https://www.securifera.com/advisories/sec-2020-0001/ https://www.lsoft.com/products/maestro.asp Release Date: ============= 2020-10-20 Product & Service Introduction: =============================== LISTSERV Maestro is an enterprise email marketing solution and allows you to easily engage your subscribers with targeted, intelligence-based opt-in campaigns. It offers easy tracking, reporting and list segmentation in a complete email marketing and analytics package. Vulnerability Information: ============================== Class: CWE-917 : Expression Language (EL) Injection Impact: Remote Code Execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2010-1870 Vulnerability Description: ============================== A unauthenticated remote code execution vulnerability was found in the LISTSERV Maestro software, version 9.0-8 and prior. This vulnerability stems from a known issue in struts, CVE-2010-1870, that allows for code execution via OGNL Injection. This vulnerability has been confirmed to be exploitable in both the Windows and Linux version of the software and has existed in the LISTSERV Maestro software since at least version 8.1-5. As a result, a specially crafted HTTP request can be constructed that executes code in the context of the web application. Exploitation of this vulnerability does not require authentication and can lead to root level privilege on any system running the LISTServ Maestro services. Vulnerability Disclosure Timeline: ================================== 2020-10-12: Contact Vendor and Request Security Contact Info From Support Team 2020-10-12: Report Vulnerability Information to Vendor 2020-10-12: Vendor Confirms Submission 2020-10-13: Vendor Releases Patch 2020-10-13: Securifera Confirms With Vendor that the Patch Mitigates CVE-2010-1870 but suggest upgrading vulnerable struts library 2020-10-15: Vendor Approves Public Disclosure Affected Product(s): ==================== LISTSERV Maestro 9.0-8 and prior Severity Level: =============== High Proof of Concept (PoC): ======================= A proof of concept will not be provided at this time. Solution - Fix & Patch: ======================= Temporary patch: https://dropbox.lsoft.us/download/LMA9.0-8-patch-2020-10-13.zip Security Risk: ============== The security risk of this remote code execution vulnerability is estimated as high. (CVSS 10.0) Credits & Authors: ================== Securifera, Inc - b0yd (@rwincey) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Securifera disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Securifera is not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Securifera or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, or hack into any systems. Domains: www.securifera.com Contact: contact [at] securifera [dot] com Social: twitter.com/securifera Copyright C 2020 | Securifera, Inc

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

other

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

b0yd

SOURCES

LAST UPDATE DATE

2024-08-14T14:41:13.896000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE