Previous General Totara Learn discussions (read only)

Security scan of our totara servers throws up a vulnerability relating to struts2

 
? ?
Security scan of our totara servers throws up a vulnerability relating to struts2
by ? ? - Tuesday, 28 February 2017, 4:09 AM
 

This is part of the vulnerability report. I cannot find any reference to struts in the source files. Anyone come across this issue with their totara servers?

Example: ~/moodle/lib/requirejs.php/1485535864/core/c.top+c.height/2-e/%24%7B%23foo%3D%27j%27%2C%23foo%7D.deferreddo

 

CVSS: 9.0
Impact/Prob: High/High
OGNL Double Evaluation Remote Code Execution
Struts2 is an open-source web application framework for Java. Struts2 (v2.0.0 - 2.3.15) is vulnerable to remote OGNL injection which leads to arbitrary Java method execution on the target server. This is caused by insecure handling of prefixed special parameters (action:,redirect: and redirectAction:) in DefaultActionMapper class of Struts2.

1.1. OGNL Double Evaluation Remote Code Execution

CVSS Score: 9.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:P/A:P Impact/Probability: High/High
Struts2 is an open-source web application framework for Java. Struts2 (v2.0.0 - 2.3.15) is vulnerable to remote OGNL injection which leads to arbitrary Java method execution on the target server. This is caused by insecure handling of prefixed special parameters (action:,redirect: and redirectAction:) in DefaultActionMapper class of Struts2.
here')}.action


1.1.1. Remediation
Upgrade Struts to the latest release


 
Permalink | Reply
Sam Hemelryk
Re: Security scan of our totara servers throws up a vulnerability relating to struts2
by Sam Hemelryk - Tuesday, 28 February 2017, 5:03 PM
Group Totara

Hi Neil,

Just writing to confirm that we do not use Struts, its Java technology and not a part of our stack.

It would appear to be a false positive but is something you should look into.
If you have any JAVA applications in your web stack (server, caching, proxy etc) then ruling these out should be your first step.
Otherwise getting in touch with the company that produced the report, or the company that produced the tool you used to run the report is probably the best step. It could be that the test for that particular vulnerability is finding a false positive in how Totara loads JS.

Best of luck tracking it down.

Kind regards
Sam


 
Permalink | Show parent | Reply
? ?
Re: Security scan of our totara servers throws up a vulnerability relating to struts2
by ? ? - Wednesday, 1 March 2017, 6:21 AM
 

Hi Sam

 Thanks very much for the response. I will pass this on the the security team and ask them to check with the company whether it is likely to be a false positive.


Regards,

  Neil

 
Permalink | Show parent | Reply