TIBCO MFT Response to Struts CVE-2021-31805
Article ID: KB0072399
Updated On:
| Products | Versions |
|---|---|
| TIBCO Managed File Transfer Command Center | 8.4.x, 8.3.x, 8.2.1, 8.2.2 |
Description
A Struts vulnerability has been discovered:
CVE-2021-31805: The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
MFT Releases that can be upgraded:
Apache has provided an update that resolves this issue: Struts 2.5.30 and ognl 3.1.29.
MFT Releases 8.4.x, 8.3.x, 8.2.1 and 8.2.2 use Struts 2.5 and can be upgraded with Struts 2.5.30 and ognl 3.1.29 downloads that resolve this vulnerability.
CVE-2021-31805: The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
MFT Releases that can be upgraded:
Apache has provided an update that resolves this issue: Struts 2.5.30 and ognl 3.1.29.
MFT Releases 8.4.x, 8.3.x, 8.2.1 and 8.2.2 use Struts 2.5 and can be upgraded with Struts 2.5.30 and ognl 3.1.29 downloads that resolve this vulnerability.
Issue/Introduction
TIBCO MFT Response to Struts CVE-2021-31805
Environment
All supported environments
Resolution
Instructions to manually upgrade Struts files for MFT 8.4.x, 8.3.x and 8.2.x
The struts upgrade files can be downloaded from https://struts.apache.org/download.cgi
Download the Full Distribution and extract these three files:
struts2-core-2.5.30.jar
struts2-tiles-plugin-2.5.30.jar
ognl-3.1.29.jar
Perform the following steps for UNIX or Windows for each Internet Server and Command Center.
Note: The exact Struts and OGNL versions may vary between MFT versions.
UNIX
mkdir <MFT-Install>/strutsbkup
cd <MFT-Install>/server/webapps/cfcc/WEB-INF/lib
mv struts2-core-2.5.*.jar <MFT-Install>/strutsbkup
mv struts2-tiles-plugin-2.5.*.jar <MFT-Install>/strutsbkup
mv ognl-3.1.*.jar <MFT-Install>/strutsbkup
Copy these jar files to: <MFT-Install>/server/webapps/cfcc/WEB-INF/lib
struts2-core-2.5.30.jar
struts2-tiles-plugin-2.5.30.jar
ognl-3.1.29.jar
Restart the MFT server
Windows
mkdir <MFT-Install>\strutsbkup
cd <MFT-Install>\server\webapps\cfcc\WEB-INF\lib
move struts2-core-2.5.*.jar <MFT-Install>\strutsbkup
move struts2-tiles-plugin-2.5.*.jar <MFT-Install>\strutsbkup
move ognl-3.1.*.jar <MFT-Install>\strutsbkup
Copy these jar files to: <MFT-Install>\server\webapps\cfcc\WEB-INF\lib
struts2-core-2.5.30.jar
struts2-tiles-plugin-2.5.30.jar
ognl-3.1.29.jar
Restart the MFT server
The struts upgrade files can be downloaded from https://struts.apache.org/download.cgi
Download the Full Distribution and extract these three files:
struts2-core-2.5.30.jar
struts2-tiles-plugin-2.5.30.jar
ognl-3.1.29.jar
Perform the following steps for UNIX or Windows for each Internet Server and Command Center.
Note: The exact Struts and OGNL versions may vary between MFT versions.
UNIX
mkdir <MFT-Install>/strutsbkup
cd <MFT-Install>/server/webapps/cfcc/WEB-INF/lib
mv struts2-core-2.5.*.jar <MFT-Install>/strutsbkup
mv struts2-tiles-plugin-2.5.*.jar <MFT-Install>/strutsbkup
mv ognl-3.1.*.jar <MFT-Install>/strutsbkup
Copy these jar files to: <MFT-Install>/server/webapps/cfcc/WEB-INF/lib
struts2-core-2.5.30.jar
struts2-tiles-plugin-2.5.30.jar
ognl-3.1.29.jar
Restart the MFT server
Windows
mkdir <MFT-Install>\strutsbkup
cd <MFT-Install>\server\webapps\cfcc\WEB-INF\lib
move struts2-core-2.5.*.jar <MFT-Install>\strutsbkup
move struts2-tiles-plugin-2.5.*.jar <MFT-Install>\strutsbkup
move ognl-3.1.*.jar <MFT-Install>\strutsbkup
Copy these jar files to: <MFT-Install>\server\webapps\cfcc\WEB-INF\lib
struts2-core-2.5.30.jar
struts2-tiles-plugin-2.5.30.jar
ognl-3.1.29.jar
Restart the MFT server
Feedback
Yes
No
Powered by
