Apache Struts2, CVE-2018-11776, Remote Code Execution, S2-057
This vulnerability can lead to remote code execution. PoC has been made publicly available and may lead to significant, extensive impact.
On August 22, Apache disclosed a remote code execution (RCE) vulnerability that has been asigned the CVE number CVE-2018-11776. This vulnerability could be triggered when:
- using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Or
- using url tag which doesn’t have value and action set.
Reference link: https://cwiki.apache.org/confluence/display/WW/S2-057
NSFOCUS will release a detailed analysis and protection solution very soon. Stay tuned!
Struts 2.3 – 2.3.34
Struts 2.5 – 2.5.16
Apache has fixed this vulnerability in its new versions. Users are advised to upgrade to Apache Struts version 2.3.35 or 2.5.17.If you are a developers, you can upgrade and release their applications by configuring Maven or Gradle. Or you can download and use the new Struts frame.
|<!– https://mvnrepository.com/artifact/org.apache.struts/struts2-core –>
compile group: ‘org.apache.struts’, name: ‘struts2-core’, version: ‘2.5.17‘
Check all Struts 2 configuration files such as struts.xml and set namespace for all package nodes not defined yet.
|<package name=”user” namespace=”/user” extends=”struts-default”>