This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy (update in May 2018) >

Security Advisory - Apache Struts2 Remote Code Execution Vulnerability in Huawei Products

  • SA No:huawei-sa-20160527-01-struts2
  • Initial Release Date: May 27, 2016
  • Last Release Date: Feb 25, 2017

Apache Struts2 released a remote code execution vulnerability in S2-032 on the official website,when Dynamic Method Invocation (DMI) is enabled, an exploit could allow the attacker to cause remote code execution.(Vulnerability ID: HWPSIRT-2016-04052)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2016-3081.

Huawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en

Product Name

Affected Version

Resolved Product and Version

Agile Controller-Campus

V100R002C00

V100R002C00SPC107

AnyOffice

V200R005C00

Upgrade to AnyOffice EMM V200R006C00SPC101

V200R006C00

AnyOffice EMM V200R006C00SPC101

FireHunter6000

V100R001C20

V100R001C20SPC106T

LogCenter

V100R001C10

Upgrade to V100R001C20SPC102

V100R001C20

V100R001C20SPC102

OceanStor 5300 V3/ 5500 V3/ 5600 V3/ 5800 V3/ 6800 V3

V300R001C20

Upgrade to V300R003C10[1]

V300R002C10

V300R003C00

OceanStor 9000

V100R001C01

Upgrade to V300R005C00SPH102

V100R001C30

V300R005C00

V300R005C00SPH102

OceanStor 18500 V3/18800 V3

Versions earlier than V300R003C10

Upgrade to V300R003C10SPC100

OceanStor N8500

V200R001C09SPC505

V200R001C09SPC506

V200R001C91SPC205

Upgrade to V200R001C91SPC902

V200R001C91SPC900

V200R001C91SPC902

V200R001C91SPC901

V200R001C91SPC902

OceanStor Onebox

V100R003C10

Upgrade to V100R005C00

[1]Only SystemReporter is affected, to fix the vulnerability, upgrade only the OceanStor 5300 V3&5500 V3&5600 V3&5800 V3&6800 V3 V300R003C10_DeviceManager_SystemReporter.zip patch in OceanStor 5300 V3/ 5500 V3/ 5600 V3/ 5800 V3/ 6800 V3 V300R003C10.

By exploiting this vulnerability, an attacker can execute remote code.

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Temporal Score: 7.7 (E:F/RL:O/RC:C)

1. Prerequisite:

DMI in Apache Struts2 server is enabled.

2. Attacking procedure:

Attackers can pass a malicious expression to the Apache Struts2 server to cause remote code execution.

For additional details, customers are advised to reference the Apache Struts2 official website: 

https://struts.apache.org/docs/s2-032.html

Customers can deploy Huawei NGFWs (Next Generation Firewall) or data center firewalls, and upgrade the IPS signature database to the latest version IPS_H20011000_2016042700 released on April 27, 2016 to detect and defend against the vulnerability exploits initiated from the Internet.


Scenario 1: DMI is enabled on the Apache Struts2 server by default in the following products: OceanStor 5300 V3, OceanStor 5500 V3, OceanStor 5600 V3, OceanStor 5800 V3, OceanStor 6800 V3, OceanStor 9000.

Workarounds: Customers can contact Huawei Technical Assistance Center (TAC) to disable DMI on the Apache Struts2 server as follows:

1. Log in to the device and find the struts.xml file.

2. Set the value of struts.enable.DynamicMethodInvocation in the struts.xml file to false.

3. Restart the web server to make the modification in struts.xml file take effect.

Scenario 2: DMI is disabled on the Apache Struts2 server by default in the following products: FireHunter6000, OceanStor N8500, OceanStor Onebox.

Workarounds: Customers should contact Huawei Technical Assistance Center (TAC) to check the status of DMI, if DMI is enabled, please disable DMI on the Apache Struts2 server as following steps:

1. Login the device and find the struts.xml file.

2. Check the value of struts.enable.DynamicMethodInvocation in the struts.xml file. If the value is true, set it to false. If the value is false or empty, no operation is required.

3. Restart the web server to make the modification in struts.xml file take effect.

Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/psirt/report-vulnerabilities.

This vulnerability was disclosed in S2-032 on the Apache Struts2 official website.

2017-02-25 V1.3 UPDATED updated the information of affected products and temporary fix
2016-08-03 V1.2 UPDATED updated the information of affected products and temporary fix

2016-05-30 V1.1 UPDATED updated the information of affected products and temporary fix

2016-05-27 V1.0 INITIAL

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.