Tag:  

Apache Struts2, CVE-2018-11776, Remote Code Execution, S2-057

Severity:Critical

This vulnerability can lead to remote code execution. PoC has been made publicly available and may lead to significant, extensive impact.

Description

On August 22, Apache disclosed a remote code execution (RCE) vulnerability that has been asigned the CVE number CVE-2018-11776.  This vulnerability could be triggered when:

  • using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Or
  • using url tag which doesn’t have value and action set.

Reference link: https://cwiki.apache.org/confluence/display/WW/S2-057

NSFOCUS will release a detailed analysis and protection solution very soon. Stay tuned!

Affected Versions

 Struts 2.3 – 2.3.34
 Struts 2.5 – 2.5.16

Unaffected Versions
 Struts 2.3.35
 Struts 2.5.17

Solution

Apache has fixed this vulnerability in its new versions. Users are advised to upgrade to Apache Struts version 2.3.35 or 2.5.17.If you are a developers, you can upgrade and release their applications by configuring Maven or Gradle. Or you can download and use the new Struts frame.

Maven

<!– https://mvnrepository.com/artifact/org.apache.struts/struts2-core –>

<dependency>

<groupId>org.apache.struts</groupId>

<artifactId>struts2-core</artifactId>

<version>2.5.17</version>

</dependency>

Gradle

// https://mvnrepository.com/artifact/org.apache.struts/struts2-core

compile group: ‘org.apache.struts’, name: ‘struts2-core’, version: ‘2.5.17

Download

Struts2.3.35 http://mirrors.hust.edu.cn/apache/struts/2.3.35/struts-2.3.35-all.zip
Struts2.5.17 http://mirrors.hust.edu.cn/apache/struts/2.5.17/struts-2.5.17-all.zip

Workaround

Check all Struts 2 configuration files such as struts.xml and set namespace for all package nodes not defined yet.

<package name=”user” namespace=”/user” extends=”struts-default”>

<action name=”login”>

</action>

</package>

 

Leave a Reply

Your email address will not be published. Required fields are marked *