Published on: 23 August 2018
Last update on: 24 August 2018
Apache has released a new version of Apache Struts to address a vulnerability caused by misconfiguration in namespace. A remote attacker could exploit the vulnerability by sending a specially crafted request to the affected systems.
Reports indicate that the vulnerability mentioned in S2-057 allows an attacker to perform arbitrary code execution through specially crafted requests. Please prioritise to patch the affected systems.
IMMEDIATE ACTION is further requested to fix the severe vulnerability CVE-2018-11776 for all systems installed with Apache Struts 2. Since proof-of-concept and fully workable exploit codes targeting the vulnerability have been publicly available, attacks against any of the vulnerable systems are highly likely from now on.
Successful exploitation of the vulnerability could lead to remote code execution on an affected system.
Administrators of the affected systems should upgrade the Apache Struts to version 2.5.17 or 2.3.35 to address the issues. The update is available at:
https://struts.apache.org/download.cgi
Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk. Details are available at:
https://cwiki.apache.org/confluence/display/WW/S2-057
https://cwiki.apache.org/confluence/display/WW/S2-057
https://www.us-cert.gov/ncas/current-activity/2018/08/22/Apache-Releases-Security-Update-Apache-Struts
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776
https://www.imperva.com/blog/2018/08/read-apache-struts-patches-critical-vulnerability-cve-2018-11776