Summary
Previous Security Bulletins contained incorrect affected release version ranges.Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible Remote Code Execution when |
Maximum security rating | Medium |
Recommendation | |
Affected Software | Struts 2.0.4 - Struts 2.3.34, Struts 2.5.0 - Struts 2.5.16 |
Reporter | Man Yue Mo from the Semmle Security Research team |
CVE Identifier | CVE-2018-11776 |
Problem
Struts Security Bulletins contain a listing of affected release versions for given issues, along with a recommended minimum release version to fix this particular issue. Thorough investigations conducted by the reporting entity revealed that in many cases more Struts releases were affected than originally reported and that higher minimum fix versions are required.
Solution
Upgrade to Apache Struts version 2.3.35 or 2.5.17.
List of Security Bulletins with Affected Version Changes
Security Bulletin | Previously announced Affected Releases | Updated Affected Releases | Minimum Fix Versions | CVE Identifier |
---|---|---|---|---|
S2-002 | 2.0.0 - 2.0.11 | 2.0.0 - 2.1.8.1 | 2.2.1 | |
S2-003 | 2.0.0 - 2.0.11.2 | 2.0.0 - 2.1.8.1 | 2.2.1 | CVE-2008-6504 |
S2-004 | 2.0.0 - 2.0.11.2 | 2.0.0 - 2.0.11.2 2.1.0 - 2.1.2 | 2.0.12 2.1.6 | CVE-2008-6505 |
S2-008 | 2.1.0 - 2.3.1 | 2.0.0 - 2.2.3 2.0.0 - 2.3.17 | 2.2.3.1 2.3.18 | CVE-2012-0391 CVE-2012-0394 |
S2-012 | Struts Showcase App 2.0.0 - 2.3.13 | 2.0.0 - 2.3.14.2 | 2.3.14.3 | CVE-2013-1965 |
S2-013 | 2.0.0 - 2.3.13 | 2.0.0 - 2.3.14.1 | 2.3.14.2 | CVE-2013-1966 |
S2-020 | 2.0.0 - 2.3.16 | 2.0.0 - 2.3.16.1 | 2.3.16.2 | CVE-2014-0094 |
S2-021 | 2.0.0 - 2.3.16.1 | 2.0.0 - 2.3.16.3 | 2.3.20 | CVE-2014-0112 CVE-2014-0113 |
S2-022 | 2.0.0 - 2.3.16.1 | 2.0.0 - 2.3.16.3 | 2.3.20 | CVE-2014-0116 |
Both 2.3.35 and 2.5.17 versions contain the security fixes only, nothing more. No backward incompatibility issues are expected.
Workaround
This is a temporal weak workaround. Please upgrade to Apache Struts version 2.3.35 or 2.5.17 ASAP because they also contain critical overall proactive security improvements
Verify that you have set (and always not forgot to set) namespace
for all defined package
s. Or verify that you have set (and always not forgot to set) namespace
for all defined results (if it is applicable) and verify that you have set (and always not forgot to set) value
or action
for all url
tags in your JSPs, when their upper package
have no or wildcard namespace
.