You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Summary

Previous Security Bulletins contained incorrect affected release version ranges.

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn’t have value and action set and in same time, its upper package have no or wildcard namespace.

Maximum security rating

Medium

Recommendation

Upgrade to Struts 2.3.35 or Struts 2.5.17

Affected Software

Struts 2.0.4 - Struts 2.3.34, Struts 2.5.0 - Struts 2.5.16

Reporter

Man Yue Mo from the Semmle Security Research team

CVE Identifier

CVE-2018-11776

Problem

Struts Security Bulletins contain a listing of affected release versions for given issues, along with a recommended minimum release version to fix this particular issue. Thorough investigations conducted by the reporting entity revealed that in many cases more Struts releases were affected than originally reported and that higher minimum fix versions are required.

Solution

Upgrade to Apache Struts version 2.3.35 or 2.5.17.

List of Security Bulletins with Affected Version Changes

Security BulletinPreviously announced Affected ReleasesUpdated Affected ReleasesMinimum Fix VersionsCVE Identifier
S2-0022.0.0 - 2.0.11

2.0.0 - 2.1.8.1

2.2.1
S2-0032.0.0 - 2.0.11.22.0.0 - 2.1.8.12.2.1

CVE-2008-6504

S2-0042.0.0 - 2.0.11.2

2.0.0 - 2.0.11.2

2.1.0 - 2.1.2

2.0.12

2.1.6

CVE-2008-6505

S2-0082.1.0 - 2.3.1

2.0.0 - 2.2.3

2.0.0 - 2.3.17

2.2.3.1

2.3.18

CVE-2012-0391

CVE-2012-0394

S2-012Struts Showcase App 2.0.0 - 2.3.132.0.0 - 2.3.14.22.3.14.3

CVE-2013-1965

S2-013

2.0.0 - 2.3.13

2.0.0 - 2.3.14.1

2.3.14.2

CVE-2013-1966

S2-020

2.0.0 - 2.3.16

2.0.0 - 2.3.16.12.3.16.2

CVE-2014-0094

S2-0212.0.0 - 2.3.16.1

2.0.0 - 2.3.16.3

2.3.20

CVE-2014-0112

CVE-2014-0113

S2-0222.0.0 - 2.3.16.12.0.0 - 2.3.16.32.3.20

CVE-2014-0116

S2-041

2.3.20 - 2.3.28.1

2.5

2.3.20 - 2.3.28.1

2.5 - 2.5.12

2.3.29

2.5.13

CVE-2016-4465

S2-042

2.3.20 - 2.3.30

2.3.1-2.3.30

2.5 - 2.5.2

2.3.31

2.5.5

CVE-2016-6795

S2-044

2.5 - 2.5.5

2.5 - 2.5.122.5.13

CVE-2016-8738

S2-048Struts Showcase App 2.3.x

2.1.x - 2.3.x

-

CVE-2017-9791

S2-051

2.3.7 - 2.3.33

2.5 - 2.5.12

2.1.6 - 2.3.33

2.5 - 2.5.12

2.3.34

2.5.13

CVE-2017-9793

S2-053

2.0.1-2.3.33

2.5-2.5.10

2.0.0-2.3.33

2.5-2.5.10.1

2.3.34

2.5.12

CVE-2017-12611


Workaround

This is a temporal weak workaround. Please upgrade to Apache Struts version 2.3.35 or 2.5.17 ASAP because they also contain critical overall proactive security improvements

Verify that you have set (and always not forgot to set) namespace for all defined packages. Or verify that you have set (and always not forgot to set) namespace for all defined results (if it is applicable) and verify that you have set (and always not forgot to set) value or action for all url tags in your JSPs, when their upper package have no or wildcard namespace.


  • No labels