Cross-site scripting in Apache Struts component used in IDENTIKEY Authentication Server

Advisory ID vasco-sa-20151126-ias

Revision number 1.0

Date of Release November 26, 2015 02:10 PM UTC+1

Last update November 26, 2015 02:10 PM UTC+1

Summary

Certain versions of Apache Struts are affected by a cross-site scripting vulnerability when debug mode is switched on or when JSPs are exposed in a production environment. These versions of Apache Struts are being used in IDENTIKEY Authentication Server. Even though the debug mode is switched off, some JSPs are directly accessible on the IAS server.

Impacted Products

  • IDENTIKEY (Virtual) Appliance versions 3.8 and earlier
  • IDENTIKEY Authentication Server versions 3.8 and earlier

Description

The Apache Struts project announced in October 2015 that Apache Struts version 2.0.0 up to version 2.3.16.3 are affected by a cross-site scripting vulnerability when debug mode is switched on or when JSP files are exposed in a production environment. Two CVE identifiers have been assigned to these vulnerabilities:

- CVE-2015-5169: Apache Struts is vulnerable to a cross-site scripting vulnerability when debug mode is enabled. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's web browser within the security context of the hosting Web site, once the URL is clicked.

- CVE-2015-2992: Apache Struts is vulnerable to a cross-site scripting vulnerability when accessing JSP files directly. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. 

Vulnerability CVE-2015-5169 is not applicable to the IDENTIKEY Authentication Service since debug mode is disabled by default.

Vulnerability CVE-2015-2992 is applicable since there are some JSP files that are directly accessible using a browser.

Severity Score

CVSS Base Score: 4.3
Access Vector

Access Complexity

Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Medium None None Partial None

 

Product Fixes

OneSpan will fix these vulnerabilities in the following upcoming releases:

  • IDENTIKEY (Virtual) Appliance 3.9
  • IDENTIKEY Authentication Server 3.9

Customers can protect their IAS-installation by making a modification to the web.xml configuration file. This modification will prohibit direct access to JSP's that should not be directly accessible.

In order to change the configuration, the following security-constraint and security-role must be appended to the web-app body in the web.xml configuration file:

No direct JSP access

No-JSP

/decorators/*

/include/*

/pages/*

/wizards/*

no-users

Don't assign users to this role
no-users

Location

Customers with a maintenance contract can obtain fixed product releases from MyMaintenance. Customers without a maintenance contract should contact their local sales representative.

Reference

- Apache Struts security bulletin S2-025 - https://struts.apache.org/docs/s2-025.html

- http://jvn.jp/en/jp/JVN88408929/index.html

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2992

Legal Disclaimer

WHILE EVERY REASONABLE EFFORT IS MADE TO PROCESS AND PROVIDE INFORMATION THAT IS ACCURATE, ALL THE CONTENT AND INFORMATION IN THIS DOCUMENT ARE PROVIDED "AS IS" AND “AS AVAILABLE,” WITHOUT ANY REPRESENTATION OR ENDORSEMENT AND WITHOUT ANY EXPRESS OR IMPLIED GUARANTEE OF CURRENCY, COMPLETENESS OR SUITABILITY, OR ANY WARRANTY INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE OR PURPOSE. YOUR USE OF THIS DOCUMENT, ANY INFORMATION PROVIDED, OR OF MATERIALS LINKED FROM THIS DOCUMENT IS AT YOUR OWN RISK. VASCO RESERVES THE RIGHT TO CHANGE OR UPDATE THE INFORMATION IN THIS DOCUMENT AT ANY TIME AND AT ITS DISCRETION, AS AND WHEN NEW OR ADDITIONAL INFORMATION BECOMES AVAILABLE.

Copyright © 2015 VASCO Data Security, Inc., VASCO Data Security International GmbH. All rights reserved.

🖨 Cross-site scripting in Apache Struts component used in IDENTIKEY Authentication Server