CVE-2018-11776: Apache Struts2 S2-057 RCE Vulnerability Alert

Recently, the security searcher found the high-risk vulnerabilities in Apache Stust2. On August 23, 2018, Apache Strust2 released the latest security bulletin, and Apache Struts2 had a high-risk vulnerability in remote code execution. The vulnerability was reported by the security researcher at the Semmle Security Research team, and the vulnerability number was CVE-2018-11776 (S2-057). Struts2 may cause remote code execution if the namespace value is not set in the XML configuration and is not set in the Action Configuration or with the wildcard namespace.
“It is possible to perform a RCE attack when namespace value isn’t set for a result defined in underlying xml configurations and in same time, its upper action(s) configurations have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace,” Apache Struts2 Team

Affected version

  • Struts 2.3 to 2.3.34
  • Struts 2.5 to 2.5.16

Unaffected version

  • Struts 2.3.35
  • Struts 2.5.17

Solution

Upgrade to the unaffected version.