Summary
Possible Remote Code Execution when using results with no namespace.Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible Remote Code Execution when using results with no namespace |
Maximum security rating | Critical |
Recommendation | Upgrade to Struts 2.3.35 or Struts 2.5.17 |
Affected Software | Struts 2.3 - Struts 2.3.34, Struts 2.5 - Struts 2.5.16 The unsupported Struts versions may be also affected |
Reporter | Man Yue Mo from the Semmle Security Research team |
CVE Identifier | CVE-2018-11776 |
Problem
It is possible to perform a RCE attack when namespace
value isn't set for a result defined in underlying xml configurations.
Solution
Upgrade to Apache Struts version 2.3.35 or 2.5.17.
Backward compatibility
Both 2.3.35 and 2.5.17 versions contain the security fixes only, nothing more. No backward incompatibility issues are expected.
Workaround
This is a temporal weak workaround. Please upgrade to Apache Struts version 2.3.35 or 2.5.17 ASAP because they also contain overall proactive security improvements
Verify that you have set (and always not forgot to set) namespace
(if is applicable) for your all defined results in underlying xml configurations.