You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Summary

Possible Remote Code Execution when using results with no namespace.

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible Remote Code Execution when using results with no namespace

Maximum security rating

Critical

Recommendation

Upgrade to Struts 2.3.35 or Struts 2.5.17

Affected Software

Struts 2.3 - Struts 2.3.34, Struts 2.5 - Struts 2.5.16

The unsupported Struts versions may be also affected

Reporter

Man Yue Mo from the Semmle Security Research team

CVE Identifier

CVE-2018-11776

Problem

It is possible to perform a RCE attack when namespace value isn't set for a result defined in underlying xml configurations.

Solution

Upgrade to Apache Struts version 2.3.35 or 2.5.17.

Backward compatibility

Both 2.3.35 and 2.5.17 versions contain the security fixes only, nothing more. No backward incompatibility issues are expected.

Workaround

This is a temporal weak workaround. Please upgrade to Apache Struts version 2.3.35 or 2.5.17 ASAP because they also contain overall proactive security improvements

Verify that you have set (and always not forgot to set) namespace (if is applicable) for your all defined results in underlying xml configurations.

  • No labels