Vulnerability CVE-2020-17530 - CERT Civis.Net

Vulnerability Name:

CVE-2020-17530 (CCN-192743)

Assigned:

2020-12-08

Published:

2020-12-08

Updated:

2022-06-03

Summary:

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
9.1 Critical (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

8.1 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.6 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2020-17530

Source: CCN
Type: JVN#43969166
Apache Struts 2 vulnerable to remote code execution (S2-061)

Source: JVN
Type: Third Party Advisory
JVN#43969166

Source: MISC
Type: Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20220412 CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.

Source: CCN
Type: Apache Struts 2 Documentation S2-061
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution

Source: CONFIRM
Type: Vendor Advisory
https://cwiki.apache.org/confluence/display/WW/S2-061

Source: XF
Type: UNKNOWN
apache-struts-cve202017530-code-exec(192743)

Source: CCN
Type: Packet Storm Security [12-24-2020]
Apache Struts 2 Forced Multi OGNL Evaluation

Source: CONFIRM
Type: Patch, Third Party Advisory
https://security.netapp.com/advisory/ntap-20210115-0005/

Source: CCN
Type: CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY
KNOWN EXPLOITED VULNERABILITIES CATALOG

Source: CCN
Type: IBM Security Bulletin 6406954 (Tivoli Application Dependency Discovery Manager)
Vulnerability in Apache Struts affects IBM Tivoli Application Dependency Discovery Manager (CVE-2020-17530)

Source: CCN
Type: IBM Security Bulletin 6427953 (Tivoli Netcool/OMNIbus_GUI)
Multiple vulnerabilities is affecting Tivoli Netcool/OMNIbus WebGUI (CVE-2021-20336, CVE-2020-17530)

Source: CCN
Type: IBM Security Bulletin 6434139 (Spectrum Symphony)
Vulnerability in Apache Struts framework affects IBM Spectrum Symphony

Source: CCN
Type: IBM Security Bulletin 6443719 (Security Guardium)
IBM Security Guardium is affected by multiple vulnerabilities (CVE-2020-17530, CVE-2020-1971)

Source: CCN
Type: IBM Security Bulletin 6565855 (Sterling Order Management)
IBM Sterling Order Management Apache Struts vulnerablity

Source: CCN
Type: IBM Security Bulletin 6593761 (Content Collector)
CVE-2020-17530 may affect Apache struts2-core used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections

Source: CCN
Type: IBM Security Bulletin 6593787 (Content Collector)
CVE-2020-17530 may affect Apache struts2-core used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections

Source: CCN
Type: IBM Security Bulletin 6593789 (Content Collector)
CVE-2020-17530 may affect Apache struts2-core used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections

Source: CCN
Type: IBM Security Bulletin 6593791 (Content Collector)
CVE-2020-17530 may affect Apache struts2-core used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections

Source: CCN
Type: IBM Security Bulletin 6620351 (Call Center for Commerce)
IBM Call Center and Apache Struts Struts upgrade strategy (various CVEs, see below)

Source: CCN
Type: IBM Security Bulletin 6620355 (Sterling Order Management)
IBM Sterling Order Management Apache Struts upgrade strategy (various CVEs, see below)

Source: CCN
Type: IBM Security Bulletin 6831813 (Netcool Operations Insight)
Netcool Operations Insight v1.6.6 contains fixes for multiple security vulnerabilities.

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: CCN
Type: Oracle Critical Patch Update Advisory - April 2021
Oracle Critical Patch Update Advisory - April 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html

Source: CCN
Type: Oracle CPUApr2022
Oracle Critical Patch Update Advisory - April 2022

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html

Source: CCN
Type: Oracle CPUJan2022
Oracle Critical Patch Update Advisory - January 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: CCN
Type: Oracle CPUJul2021
Oracle Critical Patch Update Advisory - July 2021

Source: CCN
Type: Oracle CPUOct2021
Oracle Critical Patch Update Advisory - October 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Source: CCN
Type: Rapid7 Vulnerability and Exploit Database [09-14-2020]
Apache Struts 2 Forced Multi OGNL Evaluation

Vulnerable Configuration:

Configuration 1:

cpe:/a:apache:struts:*:*:*:*:*:*:*:* (Version >= 2.0.0 and < 2.5.30)

Configuration 2:

cpe:/a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*

OR cpe:/a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*

OR cpe:/a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*

OR cpe:/a:oracle:financial_services_data_integration_hub:8.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:mysql_enterprise_monitor:8.0.23:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_diameter_intelligence_hub:8.2.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_diameter_intelligence_hub:8.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_diameter_intelligence_hub:8.2.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_diameter_intelligence_hub:8.1.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:apache:struts:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.0.5:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.0.6:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.0.9:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.0.10:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.0.11:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.0.11.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.0.11.2:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.0.0:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.0.12:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.0.13:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.0.14:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.0.3:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.0.4:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.0.7:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.1.0:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.1.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.1.2:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.1.3:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.1.4:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.1.5:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.1.6:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.1.8:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.1.8.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.2.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.2.1.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.2.3:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.14.3:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.13:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.14:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.15:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.15.3:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.2.3.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.8:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.7:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.4.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.4:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.3:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.1.2:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.1.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.12:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.14.2:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.14.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.15.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.16:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.15.2:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.16.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.16.2:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.16.3:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.20:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.24:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.24.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.28:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.30:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.5:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.10:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.11:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.12:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.5:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.2:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.8:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.10.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.13:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.14:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.14.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.16:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.20.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.20.3:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.24.3:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.28.1:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.29:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.31:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.32:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.33:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.34:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.6:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.9:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.10:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.11:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.14.3:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.15:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.17:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.19:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.20.2:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.21:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.22:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.23:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.24.2:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.25:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.26:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.3.27:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.16:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.4:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.6:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.7:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.9:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.17:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.18:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.19:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.20:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.21:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.22:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.23:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.24:*:*:*:*:*:*:*

OR cpe:/a:apache:struts:2.5.25:*:*:*:*:*:*:*

AND

cpe:/a:ibm:tivoli_netcool/omnibus:8.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:content_collector:4.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:business_intelligence:12.2.1.3.0::~~enterprise~~~:*:*:*:*:*

OR cpe:/a:ibm:spectrum_symphony:7.2.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:10.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_symphony:7.2.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:business_intelligence:12.2.1.4.0::~~enterprise~~~:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:10.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:content_collector:4.0.0:*:*:*:email:*:*:*

OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:11.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:11.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:11.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_netcool/omnibus_gui:8.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:11.3:*:*:*:*:*:*:*

Denotes that component is vulnerable