CVE-2019-0233: S2-060 - Apache Struts 2 Wiki

Summary

Access permission override causing a Denial of Service when performing a file upload

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Denial of Service

Maximum security rating

Moderate

Recommendation

Upgrade to Struts 2.5.22 or greater

If this is not possible, add java.io. and java.nio. to the value attribute of the struts.excludedPackageNames constant in struts-default.xml.

Affected Software

Struts 2.0.0 - Struts 2.5.20

Reporters

Takeshi Terada of Mitsui Bussan Secure Directions, Inc.

CVE Identifier

CVE-2019-0233

Problem

When a file upload is performed to an Action that exposes the file with a getter, an attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container’s temp directory to read only, such that subsequent upload actions will fail.

In Struts prior to 2.5.22, stack-accessible values (e.g. Action properties) of type java.io.File and java.nio.File as well as other classes from these standard library packages are not properly protected by the framework to deny access to potentially harmful underlying properties.

Solution

Upgrade to Struts 2.5.22 which excludes classes from java.io and java.nio from property evaluation by default.

Backward compatibility

No issues expected when upgrading to Struts 2.5.22

Workaround

While it is highly recommended to upgrade to Struts 2.5.22, if you are not able to do this you can mitigate the issue by adding java.io. and java.nio. to the value attribute of the struts.excludedPackageNames constant in struts-default.xml.

Read more about the internal Struts security mechanism.