Tag:
Apache Struts2, CVE-2018-11776, Remote Code Execution, S2-057
Severity:Critical
This vulnerability can lead to remote code execution. PoC has been made publicly available and may lead to significant, extensive impact.
Description
On August 22, Apache disclosed a remote code execution (RCE) vulnerability that has been asigned the CVE number CVE-2018-11776. This vulnerability could be triggered when:
- using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Or
- using url tag which doesn’t have value and action set.
Reference link: https://cwiki.apache.org/confluence/display/WW/S2-057
NSFOCUS will release a detailed analysis and protection solution very soon. Stay tuned!
Affected Versions
Struts 2.3 – 2.3.34
Struts 2.5 – 2.5.16
Unaffected Versions
Struts 2.3.35
Struts 2.5.17
Solution
Apache has fixed this vulnerability in its new versions. Users are advised to upgrade to Apache Struts version 2.3.35 or 2.5.17.If you are a developers, you can upgrade and release their applications by configuring Maven or Gradle. Or you can download and use the new Struts frame.
Maven
| <!– https://mvnrepository.com/artifact/org.apache.struts/struts2-core –>
<dependency> <groupId>org.apache.struts</groupId> <artifactId>struts2-core</artifactId> <version>2.5.17</version> </dependency> |
Gradle
| // https://mvnrepository.com/artifact/org.apache.struts/struts2-core
compile group: ‘org.apache.struts’, name: ‘struts2-core’, version: ‘2.5.17‘ |
Download
| Struts2.3.35 | http://mirrors.hust.edu.cn/apache/struts/2.3.35/struts-2.3.35-all.zip |
| Struts2.5.17 | http://mirrors.hust.edu.cn/apache/struts/2.5.17/struts-2.5.17-all.zip |
Workaround
Check all Struts 2 configuration files such as struts.xml and set namespace for all package nodes not defined yet.
| <package name=”user” namespace=”/user” extends=”struts-default”>
<action name=”login”> </action> </package> |
