...
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible Remote Code Execution when |
Maximum security rating | Medium |
Recommendation | |
Affected Software | Struts 2.0.4 - Struts 2.3.34, Struts 2.5.0 - Struts 2.5.1612 |
Reporter | Man Yue Mo from the Semmle Security Research teamBen Ronallo from the Black Duck research team within Synopsys |
CVE Identifier | CVE-2018-11776 |
Problem
Struts Security Bulletins contain a listing of affected release versions for given issues, along with a recommended minimum release version to fix this particular issue. Thorough investigations conducted by the reporting entity revealed that in many cases more Struts releases were affected than originally reported and that higher minimum fix versions are required.
...
Security Bulletin | Previously announced Affected Releases | Updated Affected Releases | Minimum Fix Versions | CVE Identifier |
---|---|---|---|---|
S2-002 | 2.0.0 - 2.0.11 | 2.0.0 - 2.1.8.1 | 2.2.1 | |
S2-003 | 2.0.0 - 2.0.11.2 | 2.0.0 - 2.1.8.1 | 2.2.1 | CVE-2008-6504 |
S2-004 | 2.0.0 - 2.0.11.2 | 2.0.0 - 2.0.11.2 2.1.0 - 2.1.2 | 2.0.12 2.1.6 | CVE-2008-6505 |
S2-008 | 2.1.0 - 2.3.1 | 2.0.0 - 2.2.3 2.0.0 - 2.3.17 | 2.2.3.1 2.3.18 | CVE-2012-0391 CVE-2012-0394 |
S2-012 | Struts Showcase App 2.0.0 - 2.3.13 | 2.0.0 - 2.3.14.2 | 2.3.14.3 | CVE-2013-1965 |
S2-013 | 2.0.0 - 2.3.13 | 2.0.0 - 2.3.14.1 | 2.3.14.2 | CVE-2013-1966 |
S2-020 | 2.0.0 - 2.3.16 | 2.0.0 - 2.3.16.1 | 2.3.16.2 | CVE-2014-0094 |
S2-021 | 2.0.0 - 2.3.16.1 | 2.0.0 - 2.3.16.3 | 2.3.20 | CVE-2014-0112 CVE-2014-0113 |
S2-022 | 2.0.0 - 2.3.16.1 | 2.0.0 - 2.3.16.3 | 2.3.20 | CVE-2014-0116 |
S2-041 | 2.3.20 - 2.3.28.1 2.5 | 2.3.20 - 2.3.28.1 2.5 - 2.5.12 | 2.3.29 2.5.13 | CVE-2016-4465 |
S2-042 | 2.3.20 - 2.3.30 | 2.3.1-2.3.30 2.5 - 2.5.2 | 2.3.31 2.5.5 | CVE-2016-6795 |
S2-044 | 2.5 - 2.5.5 | 2.5 - 2.5.12 | 2.5.13 | CVE-2016-8738 |
S2-048 | Struts Showcase App 2.3.x | 2.1.x - 2.3.x | - | CVE-2017-9791 |
S2-051 | 2.3.7 - 2.3.33 2.5 - 2.5.12 | 2.1.6 - 2.3.33 2.5 - 2.5.12 | 2.3.34 2.5.13 | CVE-2017-9793 |
S2-053 | 2.0.1-2.3.33 2.5-2.5.10 | 2.0.0-2.3.33 2.5-2.5.10.1 | 2.3.34 2.5.12 | CVE-2017-12611 |
...
Note |
---|
This is a temporal weak workaround. Please upgrade to Apache Struts version While the individual listed bulletins contain updated minimum fix versions, it is strongly recommended to update to the version recommended by the latest Security Bulletin, which is at least S2-057 by the time of this announcement. Following this advice, the recommended minimum Struts versions to operate in production are Struts 2.3.35 or Struts 2.5.17 ASAP because they also contain critical overall proactive security improvements |
...
. |