Does FusionAuth use Apache Struts - vulnerability scanning issue

maciej.wisniowski

Hi

We have an ongoing PCI DSS certification of our system and Qualys scanner reports issue with Apache Struts2 on the (self-hosted) FusionAuth 1.54.0 instance. I think it is a false positive but anyway, they want me to provide them with the Apache Struts version in use. So my question is if FusionAuth uses Apache Struts2 at all and if so, which version is this?

Issue details:

Apache Struts2 Multiple Vulnerabilities (S2-008).

Scanned URL:

GET /index.action?debug=command&expression=%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('0jWw997Z') HTTP/1.1

Validation logic:

QID Detection Logic (Unauthenticated): This QID sends specifically crafted payload with a random string command in the request to check for command execution in .action files. Vulnerable targets are expected to return string "null" in the respond.

As seen in the scanner logs, FusionAuth returns the login page for the above URL, with the JavaScript code containing 'null' text - which seems to trigger the false positive:

Prime.Document.query('.alert').each(function(e) {
var dismissButton = e.queryFirst('a.dismiss-button');
if (dismissButton !== null) {
new Prime.Widgets.Dismissable(e, dismissButton).initialize();
}

dan

Hiya @maciej-wisniowski !

We do not use Apache Struts in FusionAuth.

Hope that helps.