[Vulnerability Warning] Apache Struts2 Remote Code Executes Vulnerability (CVE-2018-11776)

2018-08-24 09:47:52
Dear user

Hi, JD Cloud security team recently monitored the Apache Struts2 remote command execution vulnerability, official number: S2-057. In order to prevent your business from being affected, it is recommended that you conduct a security self-examination in a timely manner. If your business is in the affecting scope, please update and fix the problem in time to avoid attacks from an external attacker.


**Vulnerability Details**

XML configuration namespace value defined as a wildcard ("/*”); or when the namespace value in the upper layer action is not set, it may cause a web application remote code execution vulnerability.


**Risk Grade**

CVE-2018-11776: Serious


**Affecting Scope**

Struts 2.3 - Struts 2.3.34

Struts 2.5 - Struts 2.5.16


**Fix Suggestion**

Upgrade to the safe revision

Struts 2.3.35 revision: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.35

Struts 2.5.17 revision: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.17


**Reference Information**

Reference Link: https://cwiki.apache.org/confluence/display/WW/S2-057


JD Cloud team

2018-08-24 09:47:52