Summary
Excerpt |
---|
Possible Remote Code Execution when |
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible Remote Code Execution when |
Maximum security rating | MediumModerate |
Recommendation | |
Affected Software | Struts 2.0.4 - Struts 2.3.34, Struts 2.5.0 - Struts 2.5.1612 |
Reporter | Man Yue Mo from the Semmle Security Research teamChristopher Fearon and the Black Duck Research Team within the Synopsys Cybersecurity Research Center |
CVE Identifier | CVE-2018-11776 |
Problem
It is possible to perform a RCE attack when alwaysSelectFullNamespace
is true
(either by user or a plugin like Convention Plugin) and then: namespace
value isn't set for a result defined in underlying configurations and in same time, its upper package
configuration have no or wildcard namespace
and same possibility when using url
tag which doesn’t have value
and action
set and in same time, its upper package
configuration have no or wildcard namespace
Struts Security Bulletins contain a listing of affected GA release versions for given issues, along with a recommended minimum GA release version to fix this particular issue. Thorough investigations conducted by the reporting entity revealed that in many cases more Struts releases were affected than originally reported and that higher minimum fix versions are required.
Solution
Upgrade to Apache Struts version 2.3.35 or 2.5.17.
List of Security Bulletins with Affected Version Changes
Security Bulletin | Previously announced Affected |
---|
Releases | Updated Affected |
---|
GA Releases | Minimum Fix |
---|
GA Releases | CVE Identifiers | |||
---|---|---|---|---|
S2-002 | 2.0.0 - 2.0.11 | 2.0.0 - 2.1.8.1 | 2.2.1 | |
S2-003 | 2.0.0 - 2.0.11.2 | 2.0.0 - 2.1.8.1 | 2.2.1 | CVE-2008-6504 |
S2-004 | 2.0.0 - 2.0.11.2 | 2.0.0 - 2.0.11.2 2.1.0 - 2.1.2 | 2.0.12 2.1.6 | CVE-2008-6505 |
S2-008 | 2.1.0 - 2.3.1 | 2.0.0 - 2.2.3 2.0.0 - 2.3.17 |
Both 2.3.35 and 2.5.17 versions contain the security fixes only, nothing more. No backward incompatibility issues are expected.
Workaround
Note |
---|
This is a temporal weak workaround. Please upgrade to Apache Struts version 2.3.35 or 2.5.17 ASAP because they also contain critical overall proactive security improvements |
...
2.2.3.1 2.3.18 | CVE-2012-0391 CVE-2012-0394 | |||
S2-012 | Struts Showcase App 2.0.0 - 2.3.13 | 2.0.0 - 2.3.14.2 | 2.3.14.3 | CVE-2013-1965 |
S2-013 | 2.0.0 - 2.3.13 | 2.0.0 - 2.3.14.1 | 2.3.14.2 | CVE-2013-1966 |
S2-020 | 2.0.0 - 2.3.16 | 2.0.0 - 2.3.16.1 | 2.3.16.2 | CVE-2014-0094 |
S2-021 | 2.0.0 - 2.3.16.1 | 2.0.0 - 2.3.16.3 | 2.3.20 | CVE-2014-0112 CVE-2014-0113 |
S2-022 | 2.0.0 - 2.3.16.1 | 2.0.0 - 2.3.16.3 | 2.3.20 | CVE-2014-0116 |
S2-041 | 2.3.20 - 2.3.28.1 2.5 | 2.3.20 - 2.3.28.1 2.5 - 2.5.12 | 2.3.29 2.5.13 | CVE-2016-4465 |
S2-042 | 2.3.20 - 2.3.30 | 2.3.1-2.3.30 2.5 - 2.5.2 | 2.3.31 2.5.5 | CVE-2016-6795 |
S2-044 | 2.5 - 2.5.5 | 2.5 - 2.5.12 | 2.5.13 | CVE-2016-8738 |
S2-048 | Struts Showcase App 2.3.x | 2.1.x - 2.3.x | - | CVE-2017-9791 |
S2-051 | 2.3.7 - 2.3.33 2.5 - 2.5.12 | 2.1.6 - 2.3.33 2.5 - 2.5.12 | 2.3.34 2.5.13 | CVE-2017-9793 |
S2-053 | 2.0.1-2.3.33 2.5-2.5.10 | 2.0.0-2.3.33 2.5-2.5.10.1 | 2.3.34 2.5.12 | CVE-2017-12611 |
Note |
---|
While the individual listed bulletins contain updated minimum fix versions, it is strongly recommended to update to the version recommended by the latest Security Bulletin, which is at least S2-057 by the time of this announcement. Following this advice, the recommended minimum Struts versions to operate in production are Struts 2.3.35 or Struts 2.5.17. |