Re: [ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233 (DoS) security issues

2020-08-13 Thread Zahid Rahman
Thanks , I will setup tomcat with apache As described here https://en.m.wikipedia.org/wiki/Apache_JServ_Protocol Then try to replicate OGNL injection vulnerability. It should be fun ! On Fri, 14 Aug 2020, 07:38 Rene Gielen, wrote: > In Java and Java EE, typical vectors for RCEs, injecting

Re: [ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233 (DoS) security issues

2020-08-13 Thread Rene Gielen
In Java and Java EE, typical vectors for RCEs, injecting code to be executed, include expressions where expression languages are supprted (JUEL, SpEL or, in the case of Struts 2, OGNL) or serialization attacks. Once the code is injected, it operates with the OS rights of the running user (e.g. UID

Re: [ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233 (DoS) security issues

2020-08-13 Thread Zahid Rahman
> Definitely a possibility You doubt yourself. I'm think it is not a misunderstanding for certain. On Fri, 14 Aug 2020, 01:42 Dave Newton, wrote: > On Thu, Aug 13, 2020 at 20:08 Zahid Rahman wrote: > > > Maybe I misunderstand > > > Definitely a possibility. > > -- > em: davelnew...@gmail.com

Re: [ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233 (DoS) security issues

2020-08-13 Thread Dave Newton
On Thu, Aug 13, 2020 at 20:08 Zahid Rahman wrote: > Maybe I misunderstand Definitely a possibility. -- em: davelnew...@gmail.com mo: 908-380-8699 tw: @dave_newton li: dave-newton gh: davelnewton

Re: [ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233 (DoS) security issues

2020-08-13 Thread Zahid Rahman
Maybe I misunderstand , there has always existed an apache solution to prevent anyone executing code on the application server. Its like 20 years old solution. See www.backbutton.co.uk for more details. https://backbutton.co.uk/ Backbutton.co.uk ¯\_(ツ)_/¯ ♡۶Java♡۶RMI ♡۶ On Thu, 13 Aug 2020 at 1

Re: [ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233 (DoS) security issues

2020-08-13 Thread Zahid Rahman
Maybe I misunderstand , there has always existed an apache solution to prevent anyone executing code on the application server. Its like 20 years old solution. See www.backbutton.co.uk for more details. https://backbutton.co.uk/ On Thu, 13 Aug 2020, 11:18 Rene Gielen, wrote: > Two new Struts

[ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233 (DoS) security issues

2020-08-13 Thread Rene Gielen
Two new Struts Security Bulletins have been issued for Struts 2 by the Apache Struts Security Team: [1] S2-059 - Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (CVE-2019-0230) [2] S2-060 - Access permission override causing a D