Apache Releases Security Advisory for Struts 2, CVE-2021-31805 for Symantec VIP
search cancel

Apache Releases Security Advisory for Struts 2, CVE-2021-31805 for Symantec VIP

book

Article ID: 240743

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

We were notified of the following vulnerability in Struts in the version range 2.0.0 to 2.5.29 which an Apache strut2-2.5.26 version was found in our install directory for VIP Enterprise Gateway (/opt/Symantec VIP_Enterprise_Gateway/).  Please advise if a fix is expected or workaround?

Solution
Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.30 or greater which checks if expression evaluation won't lead to the double evaluation.

Notification:
Original release date: April 12, 2022
The Apache Software Foundation has released a security advisory to address a vulnerability in Struts in the version range 2.0.0 to 2.5.29. An attacker could exploit this vulnerability to take control of an affected system.  
CISA encourages users and administrators to review Apache’s security advisory S2-062 and upgrade to the latest released version.

Link to the security advisory S2-062: https://cwiki.apache.org/confluence/display/WW/S2-062

Environment

Release : 1.0

Component : VIP Enterprise Gateway

Cause

CVE-2021-31805

Resolution

Steps to replace Struts jars – Applicable 9.9.1 and 9.9.2 VIP Enterprise Gateway

EG Console:

  1. Download the latest struts libraries from https://dlcdn.apache.org/struts/2.5.30/struts-2.5.30-all.zip
  2. Stop EG Console service.
  3. Navigate to < VRSN_MAUTH_HOME >/VIP_Enterprise_Gateway/server/webapps directory.
  4. Keep a backup of vipconsole.war.
  5. unzip vipconsole.war to temp folder.
  6. Navigate to <unzipped temp folder>/vipconsole/WEB_INF/lib.
  7. Replace struts2-core-2.5.26 with struts2-core-2.5.30.jar and struts2-tiles-plugin-2.5.26 with struts2-tiles-plugin-2.5.30.jar. (Downloaded in step 1).
  8. Zip the entire contents of <unzipped temp folder> to vipconsole.war
  9. Replace the new vipconsole.war in < VRSN_MAUTH_HOME >/VIP_Enterprise_Gateway/server/webapps.
  10. Remove contents under < VRSN_MAUTH_HOME >/VIP_Enterprise_Gateway /server/work/*
  11. Start EG Console service.

Note: 

This vulnerability is fixed in 9.10 VIP Gateway release which is available to download from the VIP manager. Here are the release notes which can be referenced for this.

VIP EG 9.10 Release Notes

Additional Information

Extracting a WAR File in Linux