This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our private policy>

Security Advisory-Multiple Apache Struts2 Vulnerabilities in Huawei Products

  • SA No:Huawei-SA-20130730-Struts
  • Initial Release Date: 2013-07-30
  • Last Release Date: 2014-01-08

Apache Struts2 is a second-generation and enterprise-ready Java web application framework based on the Model-View-Controller (MVC) architecture. This advisory describes four vulnerabilities of Apache Struts 2.0.0 - 2.3.15. Huawei products and applications using the above versions of Apache Struts are therefore affected by the vulnerabilities, not due to a defect of the Huawei product or application.

 

The Apache Struts2 contains the vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks.( Vulnerability ID : HWNSIRT-2013-0601) The link is at http://struts.apache.org/release/2.3.x/docs/s2-014.html (CVE-2013-2115, CVE-2013-1966)

 

The Apache Struts2 contains the vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.( Vulnerability ID : HWNSIRT-2013-0704) The link is at http://struts.apache.org/release/2.3.x/docs/s2-015.html (CVE-2013-2134, CVE-2013-2135)

 

The Apache Struts2 contains the vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:", which may result in remote command execution. (Vulnerability ID : HWNSIRT-2013-0705) .The link is at http://struts.apache.org/release/2.3.x/docs/s2-016.html (CVE-2013-2251).

 

The Apache Struts2 contains the vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" which allows open redirects. (Vulnerability ID : HWNSIRT-2013-0706). The link is at http://struts.apache.org/release/2.3.x/docs/s2-017.html (CVE-2013-2248).

Apache released Struts 2.3.15.1 as an official patch for Struts 2. Upgrading to Struts 2.3.15.1 is the only workaround. Based on the Struts 2.3.15.1 patch, Huawei provides a fix for the vulnerability.

Products Name

Products Version

GalaX8800

V100R002C00
V100R002C01
V100R002C83
V100R002C85

DC Integration Solution

V100R001C02

Portal

V100R002C00
V100R002C01
V100R002C83

OceanStor CSE

V100R002

OceanStor CSS

V100R001

FusionAccess

V100R003C00

FusionManager

V100R003C00

OceanStor UDS

V100R001C00

ManageOne SSMC

V100R001C02

VTM

V100R001C01

eSpace meeting

V100R001C01
V100R001C02

eSpace UC1.0

V100R001C01
V100R001C02
V100R001C02SPC300
V100R002C01

eSpace UC2.0

V200R001C01
V200R001C02

eSpace CC

V200R001C01
V200R001C02

eSpace EMS

V200R001C01
V200R001C02
V200R001C03

DSM

V100R002C03
V100R002C05

Elog

V100R003C01

iSOC

V200R001C00
V200R001C02

TSM

V100R002C07 and earlier

VSM

V200R002C00

eSight

V200R002C00
V200R002C01
V200R003C00
V300R001C00

Anti-DDoS

V100R001C00SPC300

ASG2100

V100R001C00

NIP

V100R001C00
V100R001C01
V100R002C00

eLTE3.1.0

eLTE V300R001C00

HostAgent

V100R003C00

 

  • Vulnerability ID : HWNSIRT-2013-0601

Attacker is allowed to do remote command execution, session access and manipulation and XSS attacks.

  • Vulnerability ID : HWNSIRT-2013-0704

Attacker is allowed to do remote command execution through wildcard matching mechanism or double evaluation of OGNL Expression.

  • Vulnerability ID : HWNSIRT-2013-0705:

Attacker is allowed to do remote command execution through manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:".

  • Vulnerability ID : HWNSIRT-2013-0706:

Attacker is allowed to open redirects through manipulating parameters prefixed with "redirect:"/"redirectAction:".

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

The score of the vulnerability is following:

  • Vulnerability ID : HWNSIRT-2013-0601

Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Temporal Score: 8.3 (E:F/RL:O/RC:C)

Overall Score: 8.3

  • Vulnerability ID : HWNSIRT-2013-0704

Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Temporal Score: 6.2 (E:F/RL:O/RC:C)

Overall Score: 6.2

  • Vulnerability ID : HWNSIRT-2013-0705

Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Temporal Score: 8.3 (E:F/RL:O/RC:C)

Overall Score: 8.3

  • Vulnerability ID : HWNSIRT-2013-0706

Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Temporal Score: 6.2 (E:F/RL:O/RC:C)

Overall Score: 6.2

There is no valid workaround.  We advise to consider protection method such as general security best practices for infrastructure devices and the traffic that transits the network. For example, when the service on affected product is just for internal management, please limit the accessible IP addresses though white ACL.


 

This vulnerability has been fixed in the following version:

Products Name

Products Version

Patches Version

GalaX8800

V100R002C00
V100R002C01
V100R002C83
V100R002C85

SingleCLOUD V100R002C01CP3005

DC Integration Solution

V100R001C02

SingleCLOUD V100R002C01CP3005

Portal

V100R002C00
V100R002C01
V100R002C83

SingleCLOUD V100R002C01CP3005

OceanStor CSE

V100R002

OceanStor CSE V100R001C02SPC316

OceanStor CSS

V100R001

OceanStor CSE V100R001C02SPC316

FusionAccess

V100R003C00

V100R003C00SPC100

FusionManager

V100R003C00

V100R003C00SPC201

OceanStor UDS

V100R001C00

V100R001C00SPC103

ManageOne SSMC

V100R001C02

V100R001C02CP1001

VTM

V100R001C01

V100R001C01SPC303

eSpace meeting

V100R001C01
V100R001C02

V100R001C02SPC400

eSpace UC1.0

V100R001C01
V100R001C02

1.update to V100R001C02SPC200
2.loading the patch V100R001C02SPC20b

V100R001C02SPC300

V100R001C02SPC303

V100R002C01

1.update to V100R002SPC300
2.loading the patch V100R002C01SPC301

eSpace UC2.0

V200R001C01
V200R001C02

V200R001C02SPC502

eSpace CC

V200R001C01
V200R001C02

V200R001C02SPC500

eSpace EMS

V200R001C01
V200R001C02
V200R001C03

V200R001C03SPC700

DSM

V100R002C03

V100R002C03CP7001

V100R002C05

V100R002C05CP4001

Elog

V100R003C01

V100R003C01SPC402

iSOC

V200R001C00

V200R001C00SPC201

V200R001C02

V200R001C02SPC201

TSM

V100R002C07 and earlier

V100R002C07CP2001

VSM

V200R002C00

V200R002C00SPC402

eSight

V200R002C00

V200R002C00SPC110

V200R002C01

V200R002C01SPC306

V200R003C00

V200R003C00CP3001

V300R001C00

V300R001C00CP1001

Anti-DDoS

V100R001C00SPC300

1.find the version V100R001C00SPC300
2.download the patch AticInstall_V200R001C00SPH701 under the version V100R001C00SPC300 folder

ASG2100

V100R001C00

V100R001C00SPC700

NIP

V100R001C00
V100R001C01
V100R002C00

V100R002C00SPC100

 

eLTE3.1.0

eLTE V300R001C00

V100R002C00SPC200

HostAgent

V100R003C00

ISSP V100R005C01SPC400

 


Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.


Although Huawei is not aware of any malicious exploitation of these vulnerabilities in Huawei products on customer’s live network, Huawei has confirmed through public channel that some ISP’s servers have been attacked. Our customers are advised to fix the problem once patch/versions are available.

For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.

For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.


2013-07-30 V1.0 INITIAL

2013-08-07 V1.1 UPDATE : Update Software Versions and Fixes

2013-08-16 V1.2 UPDATE : Update Software Versions and Fixes

2013-10-14 V1.3 UPDATE : Update Software Versions and Fixes

2014-01-08 V1.4 UPDATE : Update Software Versions and Fixes

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.


Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at http://www.huawei.com/en/security/psirt/.