Previous General Totara Learn discussions (read only)

Security scan of our totara servers throws up a vulnerability relating to struts2

 
??
Security scan of our totara servers throws up a vulnerability relating to struts2
?? 发表于 2017年02月28日 Tuesday 04:09
 

This is part of the vulnerability report. I cannot find any reference to struts in the source files. Anyone come across this issue with their totara servers?

Example: ~/moodle/lib/requirejs.php/1485535864/core/c.top+c.height/2-e/%24%7B%23foo%3D%27j%27%2C%23foo%7D.deferreddo

 

CVSS: 9.0
Impact/Prob: High/High
OGNL Double Evaluation Remote Code Execution
Struts2 is an open-source web application framework for Java. Struts2 (v2.0.0 - 2.3.15) is vulnerable to remote OGNL injection which leads to arbitrary Java method execution on the target server. This is caused by insecure handling of prefixed special parameters (action:,redirect: and redirectAction:) in DefaultActionMapper class of Struts2.

1.1. OGNL Double Evaluation Remote Code Execution

CVSS Score: 9.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:P/A:P Impact/Probability: High/High
Struts2 is an open-source web application framework for Java. Struts2 (v2.0.0 - 2.3.15) is vulnerable to remote OGNL injection which leads to arbitrary Java method execution on the target server. This is caused by insecure handling of prefixed special parameters (action:,redirect: and redirectAction:) in DefaultActionMapper class of Struts2.
here')}.action


1.1.1. Remediation
Upgrade Struts to the latest release


 
永久链接 | 回复
HemelrykSam
Re: Security scan of our totara servers throws up a vulnerability relating to struts2
HemelrykSam 发表于 2017年02月28日 Tuesday 17:03
小组 Totara

Hi Neil,

Just writing to confirm that we do not use Struts, its Java technology and not a part of our stack.

It would appear to be a false positive but is something you should look into.
If you have any JAVA applications in your web stack (server, caching, proxy etc) then ruling these out should be your first step.
Otherwise getting in touch with the company that produced the report, or the company that produced the tool you used to run the report is probably the best step. It could be that the test for that particular vulnerability is finding a false positive in how Totara loads JS.

Best of luck tracking it down.

Kind regards
Sam


 
永久链接 | 显示父帖子 | 回复
??
Re: Security scan of our totara servers throws up a vulnerability relating to struts2
?? 发表于 2017年03月1日 Wednesday 06:21
 

Hi Sam

 Thanks very much for the response. I will pass this on the the security team and ask them to check with the company whether it is likely to be a false positive.


Regards,

  Neil

 
永久链接 | 显示父帖子 | 回复