TIBCO MFT Response to Struts CVEs: CVE-2019-0230 and CVE-2019-0233
Article ID: KB0074796
Updated On:
| Products | Versions |
|---|---|
| TIBCO Managed File Transfer Command Center | 8.3.0 and 8.2.1 |
Description
Two Struts vulnerabilities have been discovered:
CVE-2019-0230: Apache Struts Potential Remote Code Execution Vulnerability
Forced double Object-Graph Navigation Language (OGNL) evaluation vulnerability that occurs when Struts tries to perform an evaluation of raw user input inside of tag attributes. An attacker could exploit this vulnerability by injecting malicious OGNL expressions into an attribute used within an OGNL expression. According to Apache, exploitation of this vulnerability could result in remote code execution (RCE).
CVE-2019-0233: Denial of service (DoS) vulnerability which results from an access permission override during a file upload.
According to the S2-060 security bulletin, an attacker may be able to modify a request during a file upload operation in a way that results in the uploaded file set to read-only access. Once the file is uploaded, any further actions on the file will fail. Exploiting this flaw could also result in the failure of any subsequent file upload operations, either of which could result in a denial of service condition for an affected application. The DoS vulnerability was found and reported to Apache by Takeshi Terada of Mitsui Bussan Secure Directions, Inc. who is also credited in several additional vulnerability reports to the Apache Struts team, including S2-042 and S2-021.
MFT Releases that can be upgraded:
Struts has provided an update that resolves this issue: Struts 2.5.22.
MFT Releases 8.2.1 and 8.3.0 use Struts 2.5 and can be upgraded with Struts 2.5.22 downloads that resolve this vulnerability.
MFT Releases that cannot be upgraded:
These releases use Struts 2.3. Struts 2.3 is no longer supported; there is no fix for Struts 2.3.
MFT 8.0.x
MFT 8.1.x
MFT 8.2.0
There is no upgrade path from Struts 2.3 to Struts 2.5 for releases MFT 8.2.0 and lower.
If you are running 8.0.x or 8.1.x, you should install MFT 8.2.1 and the most current 8.2.1 hotfix.
If you are running 8.2.0, you should install the SPMFT821 Service Pack and the most current 8.2.1 hotfix.
Once you are at the 8.2.1 or higher release level, you can follow the instructions to manually upgrade the Struts files.
Instructions to manually upgrade Struts files for MFT 8.2.1 and MFT 8.3.0
The struts upgrade files can be downloaded from https://struts.apache.org/download.cgi
Download the Full Distribution and extract these two files:
struts2-core-2.5.22.jar
struts2-tiles-plugin-2.5.22.jar
Perform the following steps for each Internet Server and Command Center. Note that these instructions use UNIX commands. You should use similar Windows commands, or Windows File Explorer, when running on Windows.
mkdir <MFT-Install>/strutsbkup
cd <MFT-Install>/server/webapps/cfcc/WEB-INF/lib
mv struts2-core-2.5.20.jar <MFT-Install>/strutsbkup
mv struts2-tiles-plugin-2.5.20.jar <MFT-Install>/strutsbkup
Copy these jar files to: <MFT-Install>/server/webapps/cfcc/WEB-INF/lib
struts2-core-2.5.22.jar
struts2-tiles-plugin-2.5.22.jar
Restart the MFT server
Note, hotfixes 8.3.0 HF-001 and 8.2.1 HF-003 include the Struts upgrade and can be applied to resolve the vulnerability. These fixes were not GA at the time this article was published.
Note, hotfixes 8.3.0 HF-001 and 8.2.1 HF-003 include the Struts upgrade and can be applied to resolve the vulnerability. These fixes were not GA at the time this article was published.
Issue/Introduction
TIBCO MFT Response to Struts CVEs: CVE-2019-0230 and CVE-2019-0233
Environment
All supported environments
Feedback
Yes
No
Powered by
