THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Summary
Possible Remote Code Execution when using results with nonamespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set.Who should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | Possible Remote Code Execution when using results with no |
Maximum security rating | Critical |
Recommendation | |
Affected Software | Struts 2.3 - Struts 2.3.34, Struts 2.5 - Struts 2.5.16 |
Reporter | Man Yue Mo from the Semmle Security Research team |
CVE Identifier | CVE-2018-11776 |
Problem
It is possible to perform a RCE attack when namespace value isn't set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.
Solution
Upgrade to Apache Struts version 2.3.35 or 2.5.17.
Backward compatibility
Both 2.3.35 and 2.5.17 versions contain the security fixes only, nothing more. No backward incompatibility issues are expected.
We do get reports that in some cases backward compatibility issues can occur, it is related to usage of ArrayList directly in conversion logic. You should see a WARN in logs that the ArrayList is excluded. In such case please define the below constant in your struts.xml
<constant name="struts.excludedPackageNames" value="
ognl.,
javax.,
freemarker.core.,
freemarker.template.,
freemarker.ext.rhino.,
sun.reflect.,
javassist.,
com.opensymphony.xwork2.ognl.,
com.opensymphony.xwork2.security."
/>
We are working on a new release to fix that problem.
Workaround
This is a temporal weak workaround. Please upgrade to Apache Struts version 2.3.35 or 2.5.17 ASAP because they also contain critical overall proactive security improvements
Verify that you have set (and always not forgot to set) namespace (if is applicable) for your all defined results in underlying configurations. Also verify that you have set (and always not forgot to set) value or action for all url tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace.
Struts 1
As we do not perform any tests against Struts 1 (Struts 1 was announced EOL) we cannot confirm that this version of Struts is not affected by the vulnerability. An example PoC was using an OGNL expression to perform RCE attack, so you can assume Struts 1 is safe as it doesn't base on OGNL.