RSA Authentication Manager 8.x
Customer Support has asked whether the RSA Authentication Manager 8.x system is impacted by several vulnerabilities in Apache Struts 2 after reading the announcement of fixes for these issues by the Apache Software Foundation.
The summarized announcements associated with the query are as follows (additional information is available at struts.apache.org):
S2-032
Remote Code Execution can be performed via
method: prefix when Dynamic Method Invocation is enabled.| Impact of vulnerability | Possible Remote Code Execution |
| Affected Software | Struts 2.3.20 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3) |
| CVE Identifier | CVE-2016-3081 |
S2-031
XSLTResult can be used to parse arbitrary stylesheet| Impact of vulnerability | Possible Remote Code Execution |
| Affected Software | Struts 2.0.0 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3) |
| CVE Identifier | CVE-2016-3082 |
S2-029
Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
| Impact of vulnerability | Possible Remote Code Execution vulnerability |
| Affected Software | Struts 2.0.0 - Struts 2.3.24.1 (except 2.3.20.3) |
| CVE Identifier | CVE-2016-0785 |
Information from NVD, Apache and Struts source code.
CVE-2016-3081
Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
CVSS v3 Base Score: 8.1 High
It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled.
Response: The flaw does not exist
Dynamic Method Invocation is a feature of Struts 2. AM does not use an impacted version of Struts.
CVE-2016-0785
Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.
CVSS v3 Base Score: 8.8 High
The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. (Processing in code associated with com.opensymphony.xwork2.ognl.)
Response: The flaw does not exist
The forced evaluation of Struts 2 attributes and OGNL expressions %{} are a feature of Struts 2. AM does not use an impacted version of Struts.
CVE-2016-3082
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.
CVSS v3 Base Score: 9.8 Critical
XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code.
Response: The flaw does not exist
XSLTResult uses XSLT to transform an action object to XML and is a feature of Struts 2. AM does not use an impacted version of Struts.
Related Articles
Multiple Apache Tomcat Vulnerabilities in RSA Authentication Manager - False Positive Number of Views Apache Struts 2 Freemarker Remote Code Execution Vulnerability (CVE-2017-12611) in RSA Products Number of Views Apache Struts 2 Remote Code Execution Vulnerability (CVE-2018-11776): Impact on RSA products Number of Views Apache 2.x fails to start after configuring the RSA Authentication Agent 8.0 for Web for Apache Number of Views Announcement: End of Primary Support for RSA Authentication Agents for Microsoft IIS and Apache Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU RSA Authentication Manager Patch Updates How to manipulate imported RSA SecurID Software Token(s) on an iPhone or iPad device Artifacts to gather in RSA Identity Governance & Lifecycle
