THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
| Excerpt |
|---|
Possible Remote Code Execution when using results when |
Who should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | Possible Remote Code Execution when using results when |
Maximum security rating | Critical |
Recommendation | |
Affected Software | Struts 2.3 0.4 - Struts 2.3.34, Struts 2.5.0 - Struts 2.5.16 |
Reporter | Man Yue Mo from the Semmle Security Research team |
CVE Identifier | CVE-2018-11776 |
...
It is possible to perform a RCE attack when when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: namespace value isn't set for a result defined in underlying configurations and in same time, its upper action(s) configurations package configuration have no or wildcard namespace. Same and same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations package configuration have no or wildcard namespace.
...
Verify that you have set (and always not forgot to set) namespace (if is applicable) for your all defined results in underlying configurations. Also verify for all defined packages. Or verify that you have set (and always not forgot to set) namespace for all defined results (if it is applicable) and verify that you have set (and always not forgot to set) value or action for all url tags in your JSPs. Both are needed only , when their upper action(s) configurations package have no or wildcard namespace.
Struts 1
As we do not perform any tests against Struts 1 (Struts 1 was announced EOL) we cannot confirm that this version of Struts is not affected by the vulnerability. An example PoC was using an OGNL expression to perform RCE attack, so you can assume Struts 1 is safe as it doesn't base on OGNL.