In an advisory published on the Confluence website maintained by the ASF community, a remote code execution vulnerability in the Apache Struts 2.x was discovered and elaborated upon by Yasser Zamani. The discovery was made by Man Yue Mo of the Semmle Security research team. The vulnerability has since been given the label CVE-2018-11776. It is found to affect the Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 with possible remote code execution exploit opportunities.
This vulnerability arises from when results without namespace are used while their upper actions don’t have any namespace either or have wildcard namespace. This vulnerability also arises from the usage of URL tags without set values and actions.
A work around is suggested in the advisory to mitigate this vulnerability which demands that users ensure that the namespace is always set without fail for all defined results in the underlying configurations. In addition to this, users must also ensure that they always set values and actions for URL tags respectively without fail in their JSPs. These things need to be considered and ensured when the upper namespace does not exist or exists as a wildcard.
Although the vendor has outlined that versions in the range of 2.3 to 2.3.34 and 2.5 to 2.5.16 are affected, they also believe that unsupported Struts versions may also be at risk of this vulnerability. For supported versions of the Apache Struts, the vendor has released the Apache Struts version 2.3.35 for 2.3.x version vulnerabilities, and it has released version 2.5.17 for version 2.5.x vulnerabilities. Users are requested to upgrade to the respective versions to steer clear of the risk of exploit. The vulnerability is ranked as critical and thus immediate action is requested.
In addition to the mere fix of these possible remote code execution vulnerabilities, the updates also contain a few other security updates that have been rolled out all in one go. Backward compatibility issues are not expected as other miscellaneous updates are not a part of the package versions released.