Cross-site scripting in Apache Struts component used in IDENTIKEY Authentication Server
Advisory ID vasco-sa-20151126-ias
Revision number 1.0
Date of Release November 26, 2015 02:10 PM UTC+1
Last update November 26, 2015 02:10 PM UTC+1
Certain versions of Apache Struts are affected by a cross-site scripting vulnerability when debug mode is switched on or when JSPs are exposed in a production environment. These versions of Apache Struts are being used in IDENTIKEY Authentication Server. Even though the debug mode is switched off, some JSPs are directly accessible on the IAS server.
- IDENTIKEY (Virtual) Appliance versions 3.8 and earlier
- IDENTIKEY Authentication Server versions 3.8 and earlier
The Apache Struts project announced in October 2015 that Apache Struts version 2.0.0 up to version 126.96.36.199 are affected by a cross-site scripting vulnerability when debug mode is switched on or when JSP files are exposed in a production environment. Two CVE identifiers have been assigned to these vulnerabilities:
- CVE-2015-5169: Apache Struts is vulnerable to a cross-site scripting vulnerability when debug mode is enabled. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's web browser within the security context of the hosting Web site, once the URL is clicked.
- CVE-2015-2992: Apache Struts is vulnerable to a cross-site scripting vulnerability when accessing JSP files directly. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked.
Vulnerability CVE-2015-5169 is not applicable to the IDENTIKEY Authentication Service since debug mode is disabled by default.
Vulnerability CVE-2015-2992 is applicable since there are some JSP files that are directly accessible using a browser.
CVSS Base Score: 4.3
VASCO will fix these vulnerabilities in the following upcoming releases:
- IDENTIKEY (Virtual) Appliance 3.9
- IDENTIKEY Authentication Server 3.9
Customers can protect their IAS-installation by making a modification to the web.xml configuration file. This modification will prohibit direct access to JSP's that should not be directly accessible.
In order to change the configuration, the following security-constraint and security-role must be appended to the web-app body in the web.xml configuration file:
No direct JSP access
Don't assign users to this role
Customers with a maintenance contract can obtain fixed product releases from MyMaintenance. Customers without a maintenance contract should contact their local sales representative.
WHILE EVERY REASONABLE EFFORT IS MADE TO PROCESS AND PROVIDE INFORMATION THAT IS ACCURATE, ALL THE CONTENT AND INFORMATION IN THIS DOCUMENT ARE PROVIDED "AS IS" AND “AS AVAILABLE,” WITHOUT ANY REPRESENTATION OR ENDORSEMENT AND WITHOUT ANY EXPRESS OR IMPLIED GUARANTEE OF CURRENCY, COMPLETENESS OR SUITABILITY, OR ANY WARRANTY INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE OR PURPOSE. YOUR USE OF THIS DOCUMENT, ANY INFORMATION PROVIDED, OR OF MATERIALS LINKED FROM THIS DOCUMENT IS AT YOUR OWN RISK. VASCO RESERVES THE RIGHT TO CHANGE OR UPDATE THE INFORMATION IN THIS DOCUMENT AT ANY TIME AND AT ITS DISCRETION, AS AND WHEN NEW OR ADDITIONAL INFORMATION BECOMES AVAILABLE.
Copyright © 2015 VASCO Data Security, Inc., VASCO Data Security International GmbH. All rights reserved.