Security Alert (A17-07-02): Vulnerability in Apache Struts

Description:

A vulnerability is relevant if the Apache Struts system adopts the "Struts 2 Struts 1 plugin". A remote attacker could exploit the vulnerability by sending special crafted URL requests to the affected system to allow remote code execution.

Affected Systems:

• Apache Struts 2.3.x

Impact:

A successful attack could lead to arbitrary code execution on an affected system.

Recommendation:

Administrators of the affected systems should follow the recommendations provided by the Apache Software Foundation for Struts below and take immediate actions to mitigate the risk.

1. Upgrade the Apache Struts2 to 2.5.10.1 to address the issue. The update is available at:
   http://www-eu.apache.org/dist/struts/2.5.10.1/
   
   
2. Stop using Struts 1 plugins in Struts 2.3.x and remove the Showcase Webspp, if deployed before.
   
   
3. Review the code of the affected applications where developers should use resource keys, instead of passing a raw message to the ActionMessage.
   
   

For details, please refer to

http://struts.apache.org/docs/s2-048.html

More Information:

http://struts.apache.org/docs/s2-048.html
http://struts.apache.org/announce.html#a20170707
http://www.cnvd.org.cn/flaw/show/CNVD-2017-13259
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9791