Struts 2 S2-016 Vulenerability Mitigation升级 [英] Struts 2 S2-016 Vulenerability Mitigation Till Upgrade

问题描述

最近，struts修补了一个允许攻击者执行远程代码的漏洞。显然没有修补这就像给黑帽子带来一个红地毯欢迎与潮流： - /

Recently struts patched a vulnerability allowing attackers to execute remote code. Apparently not patching this is like giving black-hats a red carpet welcome with a bandwagon :-/

http://struts.apache.org/release/2.3.x/docs/s2-016.html

基本上它允许执行攻击命令，如下所示：

Basically it allows attack command execution like this :

合法行为： http：// host / struts2-showcase / employee / save.action？redirect：％25 {3 * 4}
被利用的操作： http：//host/struts2-showcase/employee/save.action ？重定向：％25 {（新+ java.lang.ProcessBuilder中（新+ java.lang.String中[] { '命令'， '去'， '这里'}））开始（）}

虽然我知道升级应该尽快完成，但是由于我们的代码库使用旧的struts版本和插件，因此会尽快进行升级。

While I know that upgrading should be done ASAP, the as soon as possible will mean some time since our code base uses old struts versions and plugins.

这需要一些重构来升级struts 2库，然后需要进行测试等。

Which will require some refactoring to upgrade the struts 2 libraries, then those need to be tested etc.

我的问题是是否有人有任何想法停止这个漏洞被执行了吗？这只有在我们能够升级之前。

My question therefor is whether anyone has any idea to stop this vulnerability from being executed? This will be only till we are able to upgrade.

我想知道是否可以在对OGNL进行评估之前编写一个拦截器来清理URL，如果是这样的话缓解这个问题？

I was wondering whether writing an interceptor to sanitize the URL before being evaluated against the OGNL is possible and if so will it mitigate this issue?

我的其他想法是以某种方式使用Java安全管理器来阻止任意进程调用，这可能吗？它会暂时修补这个漏洞吗？

Other idea I had was to use the Java security manager somehow to stop arbitrary process invocations, is this possible? Will it patch the hole temporary?

如果有人认为这是相关的，那么正在使用的服务器就是jBoss。

The server being used is jBoss if anyone think that's relevant.

推荐答案

问题与 DefaultActionMapper 有关，以及它如何处理特殊参数。此类可以扩展为覆盖 handleSpecialParameters 方法。但是，如果关闭DMI，这些特殊参数将不再起作用。使用常量配置

The problem is related to DefaultActionMapper and how it handles special parameters. This class could be extended to override handleSpecialParameters method. However, if you turn off DMI these special parameters no longer work. Use the constant configuration

<constant name="struts.enable.DynamicMethodInvocation" value="false"/>

这篇关于Struts 2 S2-016 Vulenerability Mitigation升级的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！