Versions Compared

Old Version 1

changes.mady.by.user René Gielen

Saved on

compared with

New Version Current

changes.mady.by.user René Gielen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Summary

Excerpt

Possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn’t have value and action set and in same time, its upper package have no or wildcard namespacePrevious Security Bulletins contained incorrect affected release version ranges.


Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn’t have value and action set and in same time, its upper package have no or wildcard namespaceIf a production system using Struts 2 has been updated to fix a particular historic security issue and was not updated thereafter to fix later documented security issues up to and including S2-057, it is possible that said production system is still vulnerable to the specific vulnerability that was meant to be fixed by a taking measures as explained in the affected historic security issue bulletin.

Maximum security rating

MediumModerate

Recommendation

Upgrade to Struts 2.3.35 or Struts 2.5.17

Affected Software

Struts 2.0.4 - Struts 2.3.34, Struts 2.5.0 - Struts 2.5.1612

Reporter

Man Yue Mo from the Semmle Security Research teamChristopher Fearon and the Black Duck Research Team within the Synopsys Cybersecurity Research Center

CVE Identifier

CVE-2018-11776

Problem

It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: namespace value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace and same possibility when using url tag which doesn’t have value and action set and in same time, its upper package configuration have no or wildcard namespaceStruts Security Bulletins contain a listing of affected GA release versions for given issues, along with a recommended minimum GA release version to fix this particular issue. Thorough investigations conducted by the reporting entity revealed that in many cases more Struts releases were affected than originally reported and that higher minimum fix versions are required.

Solution

Upgrade to Apache Struts version 2.3.35 or 2.5.17.

List of Security Bulletins with Affected Version Changes

Security BulletinPreviously announced Affected
Versions
ReleasesUpdated Affected
Versions
GA ReleasesMinimum Fix
Versions
GA ReleasesCVE Identifiers
S2-0022.0.0 - 2.0.11

2.0.0 - 2.1.8.1

2.2.1
S2-0032.0.0 - 2.0.11.22.0.0 - 2.1.8.12.2.1

CVE-2008-6504

S2-0042.0.0 - 2.0.11.2

2.0.0 - 2.0.11.2

2.1.0 - 2.1.2

2.0.12

2.1.6

CVE-2008-6505

S2-0082.1.0 - 2.3.1

2.0.0 - 2.2.3

2.0.0 - 2.3.17

Both 2.3.35 and 2.5.17 versions contain the security fixes only, nothing more. No backward incompatibility issues are expected.

Workaround

Note

This is a temporal weak workaround. Please upgrade to Apache Struts version 2.3.35 or 2.5.17 ASAP because they also contain critical overall proactive security improvements

...

2.2.3.1

2.3.18

CVE-2012-0391

CVE-2012-0394

S2-012Struts Showcase App 2.0.0 - 2.3.132.0.0 - 2.3.14.22.3.14.3

CVE-2013-1965

S2-013

2.0.0 - 2.3.13

2.0.0 - 2.3.14.1

2.3.14.2

CVE-2013-1966

S2-020

2.0.0 - 2.3.16

2.0.0 - 2.3.16.12.3.16.2

CVE-2014-0094

S2-0212.0.0 - 2.3.16.1

2.0.0 - 2.3.16.3

2.3.20

CVE-2014-0112

CVE-2014-0113

S2-0222.0.0 - 2.3.16.12.0.0 - 2.3.16.32.3.20

CVE-2014-0116

S2-041

2.3.20 - 2.3.28.1

2.5

2.3.20 - 2.3.28.1

2.5 - 2.5.12

2.3.29

2.5.13

CVE-2016-4465

S2-042

2.3.20 - 2.3.30

2.3.1-2.3.30

2.5 - 2.5.2

2.3.31

2.5.5

CVE-2016-6795

S2-044

2.5 - 2.5.5

2.5 - 2.5.122.5.13

CVE-2016-8738

S2-048Struts Showcase App 2.3.x

2.1.x - 2.3.x

-

CVE-2017-9791

S2-051

2.3.7 - 2.3.33

2.5 - 2.5.12

2.1.6 - 2.3.33

2.5 - 2.5.12

2.3.34

2.5.13

CVE-2017-9793

S2-053

2.0.1-2.3.33

2.5-2.5.10

2.0.0-2.3.33

2.5-2.5.10.1

2.3.34

2.5.12

CVE-2017-12611


Note

While the individual listed bulletins contain updated minimum fix versions, it is strongly recommended to update to the version recommended by the latest Security Bulletin, which is at least S2-057 by the time of this announcement. Following this advice, the recommended minimum Struts versions to operate in production are Struts 2.3.35 or Struts 2.5.17.