Remote Code Execution Vulnerability in Apache Struts 2.x Resolved in Update

In an advisory published on the Confluence website maintained by the ASF community, a remote code execution vulnerability in the Apache Struts 2.x was discovered and elaborated upon by Yasser Zamani. The discovery was made by Man Yue Mo of the Semmle Security research team. The vulnerability has since been given the label CVE-2018-11776. It is found to affect the Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 with possible remote code execution exploit opportunities.

This vulnerability arises from when results without namespace are used while their upper actions don’t have any namespace either or have wildcard namespace. This vulnerability also arises from the usage of URL tags without set values and actions.

A work around is suggested in the advisory to mitigate this vulnerability which demands that users ensure that the namespace is always set without fail for all defined results in the underlying configurations. In addition to this, users must also ensure that they always set values and actions for URL tags respectively without fail in their JSPs. These things need to be considered and ensured when the upper namespace does not exist or exists as a wildcard.

Although the vendor has outlined that versions in the range of 2.3 to 2.3.34 and 2.5 to 2.5.16 are affected, they also believe that unsupported Struts versions may also be at risk of this vulnerability. For supported versions of the Apache Struts, the vendor has released the Apache Struts version 2.3.35 for 2.3.x version vulnerabilities, and it has released version 2.5.17 for version 2.5.x vulnerabilities. Users are requested to upgrade to the respective versions to steer clear of the risk of exploit. The vulnerability is ranked as critical and thus immediate action is requested.

In addition to the mere fix of these possible remote code execution vulnerabilities, the updates also contain a few other security updates that have been rolled out all in one go. Backward compatibility issues are not expected as other miscellaneous updates are not a part of the package versions released.

Aaron Michael
Aaron Micheal is an electrical engineer by profession and a hard-core gamer by passion. His exceptional experience with computer hardware and profound knowledge in gaming makes him a very competent writer. What makes him unique is his growing interest in the state of the art technologies that motivates him to learn, adopt, and integrate latest techniques into his work.

Expert Tip

Remote Code Execution Vulnerability in Apache Struts 2.x Resolved in Update

If the issue is with your Computer or a Laptop you should try using Restoro which can scan the repositories and replace corrupt and missing files. This works in most cases, where the issue is originated due to a system corruption. You can download Restoro by clicking the Download button below.

Download Now

I'm not interested