Security Alert (A17-09-02): Multiple Vulnerabilities in Apache Struts


 

Published on: 06 September 2017

Last update on: 08 September 2017

  
  

Description:

Apache has released a new version of Apache Struts with fixes for multiple vulnerabilities affecting Struts REST plugin and URLValidator. A remote attacker could exploit the vulnerabilities by sending a special crafted request with invalid XML payloads or a malformatted URL to the affected system.

Reports indicate that the vulnerability mentioned in S2-052 is being actively exploited in the wild.

 

Affected Systems:

  • Apache Struts 2.5 to 2.5.12
  • Apache Struts 2.3.7 to 2.3.33

 

Impact:

A successful attack could lead to a denial-of-service (DoS) condition and arbitrary code execution on an affected system.

 

Recommendation:

Administrators of the affected systems should upgrade the Apache Struts2 to 2.5.13 or 2.3.34 to address the issues. The update is available at:

  • https://struts.apache.org/download.cgi

Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

  

More Information:

http://struts.apache.org/docs/s2-050.html
http://struts.apache.org/docs/s2-051.html
http://struts.apache.org/docs/s2-052.html
https://www.hkcert.org/my_url/en/alert/17090601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9793
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9804
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805
http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html

 



Tag: Apache , Struts
Tags