Security Advisory-Multiple Apache Struts 2 Vulnerabilities in Huawei Products

Summary

Apache Struts2 is a second-generation and enterprise-ready Java web application framework based on the Model-View-Controller (MVC) architecture. This advisory describes four vulnerabilities of Apache Struts 2.0.0 - 2.3.15. Huawei products and applications using the above versions of Apache Struts are therefore affected by the vulnerabilities, not due to a defect of the Huawei product or application.

The Apache Struts2 contains the vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks.( Vulnerability ID : HWNSIRT-2013-0601) The link is at http://struts.apache.org/release/2.3.x/docs/s2-014.html (CVE-2013-2115, CVE-2013-1966)

The Apache Struts2 contains the vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.( Vulnerability ID : HWNSIRT-2013-0704) The link is at http://struts.apache.org/release/2.3.x/docs/s2-015.html (CVE-2013-2134, CVE-2013-2135)

The Apache Struts2 contains the vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:", which may result in remote command execution. (Vulnerability ID : HWNSIRT-2013-0705) .The link is at http://struts.apache.org/release/2.3.x/docs/s2-016.html (CVE-2013-2251).

The Apache Struts2 contains the vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" which allows open redirects. (Vulnerability ID : HWNSIRT-2013-0706). The link is at http://struts.apache.org/release/2.3.x/docs/s2-017.html (CVE-2013-2248).

Apache released Struts 2.3.15.1 as an official patch for Struts 2. Upgrading to Struts 2.3.15.1 is the only workaround. Based on the Struts 2.3.15.1 patch, Huawei provides a fix for the vulnerability.

Affected Products

Products Name	Products Version
GalaX8800	V100R002C00 V100R002C01 V100R002C83 V100R002C85
DC Integration Solution	V100R001C02
Portal	V100R002C00 V100R002C01 V100R002C83
OceanStor CSE	V100R002
OceanStor CSS	V100R001
FusionAccess	V100R003C00
FusionManager	V100R003C00
OceanStor UDS	V100R001C00
ManageOne SSMC	V100R001C02
VTM	V100R001C01
eSpace meeting	V100R001C01 V100R001C02
eSpace UC1.0	V100R001C01 V100R001C02 V100R001C02SPC300 V100R002C01
eSpace UC2.0	V200R001C01 V200R001C02
eSpace CC	V200R001C01 V200R001C02
eSpace EMS	V200R001C01 V200R001C02 V200R001C03
DSM	V100R002C03 V100R002C05
Elog	V100R003C01
iSOC	V200R001C00 V200R001C02
TSM	V100R002C07 and earlier
VSM	V200R002C00
eSight	V200R002C00 V200R002C01 V200R003C00 V300R001C00
Anti-DDoS	V100R001C00SPC300
ASG2100	V100R001C00
NIP	V100R001C00 V100R001C01 V100R002C00
eLTE3.1.0	eLTE V300R001C00
HostAgent	V100R003C00

Impact

Vulnerability ID : HWNSIRT-2013-0601

Attacker is allowed to do remote command execution, session access and manipulation and XSS attacks.

Vulnerability ID : HWNSIRT-2013-0704

Attacker is allowed to do remote command execution through wildcard matching mechanism or double evaluation of OGNL Expression.

Vulnerability ID : HWNSIRT-2013-0705:

Attacker is allowed to do remote command execution through manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:".

Vulnerability ID : HWNSIRT-2013-0706:

Attacker is allowed to open redirects through manipulating parameters prefixed with "redirect:"/"redirectAction:".

Vulnerability Scoring Details

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

The score of the vulnerability is following:

Vulnerability ID : HWNSIRT-2013-0601

Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Temporal Score: 8.3 (E:F/RL:O/RC:C)

Overall Score: 8.3

Vulnerability ID : HWNSIRT-2013-0704

Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Temporal Score: 6.2 (E:F/RL:O/RC:C)

Overall Score: 6.2

Vulnerability ID : HWNSIRT-2013-0705

Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Temporal Score: 8.3 (E:F/RL:O/RC:C)

Overall Score: 8.3

Vulnerability ID : HWNSIRT-2013-0706

Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Temporal Score: 6.2 (E:F/RL:O/RC:C)

Overall Score: 6.2

Technique Details

This vulnerability is described in the following advisories/notifications:

http://struts.apache.org/development/2.x/docs/s2-014.html

http://struts.apache.org/development/2.x/docs/s2-015.html

http://struts.apache.org/development/2.x/docs/s2-016.html

http://struts.apache.org/development/2.x/docs/s2-017.html

Temporary Fix

There is no valid workaround. We advise to consider protection method such as general security best practices for infrastructure devices and the traffic that transits the network. For example, when the service on affected product is just for internal management, please limit the accessible IP addresses though white ACL.

Software Versions and Fixes

This vulnerability has been fixed in the following version:

Products Name	Products Version	Patches Version
GalaX8800	V100R002C00 V100R002C01 V100R002C83 V100R002C85	SingleCLOUD V100R002C01CP3005
DC Integration Solution	V100R001C02	SingleCLOUD V100R002C01CP3005
Portal	V100R002C00 V100R002C01 V100R002C83	SingleCLOUD V100R002C01CP3005
OceanStor CSE	V100R002	OceanStor CSE V100R001C02SPC316
OceanStor CSS	V100R001	OceanStor CSE V100R001C02SPC316
FusionAccess	V100R003C00	V100R003C00SPC100
FusionManager	V100R003C00	V100R003C00SPC201
OceanStor UDS	V100R001C00	V100R001C00SPC103
ManageOne SSMC	V100R001C02	V100R001C02CP1001
VTM	V100R001C01	V100R001C01SPC303
eSpace meeting	V100R001C01 V100R001C02	V100R001C02SPC400
eSpace UC1.0	V100R001C01 V100R001C02	1.update to V100R001C02SPC200 2.loading the patch V100R001C02SPC20b
	V100R001C02SPC300	V100R001C02SPC303
	V100R002C01	1.update to V100R002SPC300 2.loading the patch V100R002C01SPC301
eSpace UC2.0	V200R001C01 V200R001C02	V200R001C02SPC502
eSpace CC	V200R001C01 V200R001C02	V200R001C02SPC500
eSpace EMS	V200R001C01 V200R001C02 V200R001C03	V200R001C03SPC700
DSM	V100R002C03	V100R002C03CP7001
DSM	V100R002C05	V100R002C05CP4001
Elog	V100R003C01	V100R003C01SPC402
iSOC	V200R001C00	V200R001C00SPC201
iSOC	V200R001C02	V200R001C02SPC201
TSM	V100R002C07 and earlier	V100R002C07CP2001
VSM	V200R002C00	V200R002C00SPC402
eSight	V200R002C00	V200R002C00SPC110
	V200R002C01	V200R002C01SPC306
	V200R003C00	V200R003C00CP3001
	V300R001C00	V300R001C00CP1001
Anti-DDoS	V100R001C00SPC300	1.find the version V100R001C00SPC300 2.download the patch AticInstall_V200R001C00SPH701 under the version V100R001C00SPC300 folder
ASG2100	V100R001C00	V100R001C00SPC700
NIP	V100R001C00 V100R001C01 V100R002C00	V100R002C00SPC100
eLTE3.1.0	eLTE V300R001C00	V100R002C00SPC200
HostAgent	V100R003C00	ISSP V100R005C01SPC400

Obtaining Fixed Software

Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.

Exploitation and Vulnerability Source

Although Huawei is not aware of any malicious exploitation of these vulnerabilities in Huawei products on customer’s live network, Huawei has confirmed through public channel that some ISP’s servers have been attacked. Our customers are advised to fix the problem once patch/versions are available.

Contacts for Technique Issue

For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.

For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.

Revision History

2013-07-30 V1.0 INITIAL

2013-08-07 V1.1 UPDATE : Update Software Versions and Fixes

2013-08-16 V1.2 UPDATE : Update Software Versions and Fixes

2013-10-14 V1.3 UPDATE : Update Software Versions and Fixes

2014-01-08 V1.4 UPDATE : Update Software Versions and Fixes

FAQs

None

Declaration

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

Huawei Security Procedures

Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at http://www.huawei.com/en/security/psirt/.

Select a Country or Region

Products

Connectivity

Computing

Cloud

Services

Industry Solutions

Consumer Support

Huawei Cloud Support

Enterprise Support

Carrier Support

Partners

Training & Certification

Developers

About Us

News & Events

Explore More

SEARCH HISTORY

Security Advisory-Multiple Apache Struts2 Vulnerabilities in Huawei Products

Select a Country or Region

Connectivity

Computing

Cloud

SEARCH HISTORY

Security Advisory-Multiple Apache Struts2 Vulnerabilities in Huawei Products

Online Services

Consumer Products

Huawei Cloud

Enterprise

Carrier Network