Struts 2 security vulnerability found in an APM application running in OpenShift.

book

Article ID: 143807

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE DX Application Performance Management

Issue/Introduction

CA APM Infrastructure Agent Release 10.7.0.45 (Build 990045) is installed in OpenShift.

Nessus scan has revealed a vulnerability in the CA APM application running in OpenShift.  

 

Nessus Scan Report:

“A remote web application uses a framework that is affected by code execution and file overwrite vulnerabilities.

The remote web application appears to use Struts 2, a web framework that uses XWork.

Due to flaws in multiple Struts2 'Interceptor' classes (CookieInterceptor, ParametersInterceptor, and DebuggingInterceptor)

that fail to properly sanitize user-supplied input, a remote attacker can run arbitrary Java code or overwrite

files on the remote host by sending a specially crafted HTTP request.             

Upgrade to Struts2 2.3.1.1 or later.               

http://struts.apache.org/docs/s2-008.html         

CVE-2012-0392  “

 

This was verified using the following :  HTTP request :

 

GET / HTTP/1.1

Host: BroadcomTest127.company.com:32021

Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1

Accept-Language: en

Connection: Keep-Alive

Cookie: dtCookie=1$F12DA13E08E954CF367802D373FCE28D

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)

Pragma: no-cache

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

 

[email protected] /root:>oc exec -n caapm  caagent-nxnvf -- ss -tulpn|grep 32021

tcp    LISTEN     0      128      :::32021                :::*                  

 

Cause

Per engineering,  there is some issue and have updated the image in the dockerHub with the fix. 

 

Environment

Release : 10.7.0

Component : APM Agents

Resolution

Download the updated version from dockerHub. 

If connecting with 10.7 EM, need to pass this additional environmental variable on both the DaemonSet and Deployment definition of the YAML file 

- name: apmenv_introscope_agent_connection_compatibility_version  value: "10.7"