{"id":14327,"date":"2018-08-30T11:03:39","date_gmt":"2018-08-30T09:03:39","guid":{"rendered":"\/?p=14327"},"modified":"2019-03-11T11:04:33","modified_gmt":"2019-03-11T10:04:33","slug":"apache-struts-vulnerability","status":"publish","type":"post","link":"\/de\/security-alert\/apache-struts-vulnerability\/","title":{"rendered":"Apache Struts Vulnerability"},"content":{"rendered":"<p>Original date: 22.08.2018<br \/>\nOverall risk classification: <span class=\"badge badge-danger\">HIGH<\/span><br \/>\nUPDATE 30.08.2018: An exploit for this vulnerability was published at github [3]. Make sure your Struts is updated!<\/p>\n<h3>Overview<\/h3>\n<p>Today, the Apache Software Foundation announced a critical remote code execution (RCE) vulnerability in Apache Struts.<br \/>\nWhether this RCE attack can be performed depends on the configuration for namespaces. Affected are situations were namespace is not set or a wildcard is used [1].<br \/>\nIf your project is affected, it is strongly recommended to update Struts to the latest version.<\/p>\n<h3>Systems Affected<\/h3>\n<p>Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 [1, 2].<\/p>\n<h3>Threat<\/h3>\n<p><strong>Risk<\/strong>: <span class=\"badge badge-danger\">HIGH<\/span><br \/>\nIf your project operates Apache Struts in a vulnerable version, the application is potentially vulnerable to remote code execution.<br \/>\nRemote code execution vulnerabilities allow attackers to take control of a vulnerable system. This can provide a hacker with an entry point into your corporate networks, and can put both infrastructure and data at risk.<br \/>\n<strong>Exploitability<\/strong>: <span class=\"badge badge-warning\">MEDIUM<\/span><br \/>\nWhether or not a Struts application is vulnerable to remote code execution largely depends on the exact configuration and architecture of the application. Details can be found in the original advisory [1] or here: https:\/\/semmle.com\/news\/apache-struts-CVE-2018-11776#was-i-vulnerable [2].<br \/>\n<strong>Priority<\/strong> (for affected, internet-exposed systems): <span class=\"badge badge-danger\">HIGH<\/span><br \/>\n<strong>Priority<\/strong> (for internal systems): <span class=\"badge badge-warning\">MEDIUM<\/span> <\/p>\n<h3>Mitigation<\/h3>\n<p>A patched version has been released today.<br \/>\nUsers of Struts 2.3 are strongly advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17 [1].<br \/>\nIf your system is vulnerable but Struts cannot be updated immediately, the advisory in [1] describes a workaround. However, this should only be applied as a short-term solution which does not replace a Struts update as soon as possible. <\/p>\n<h3>Author<\/h3>\n<p>Martin Sch\u00f6ne<\/p>\n<h3>References<\/h3>\n<p>[1] https:\/\/cwiki.apache.org\/confluence\/display\/WW\/S2-057<br \/>\n[2] https:\/\/semmle.com\/news\/apache-struts-CVE-2018-11776<br \/>\n[3] https:\/\/github.com\/mazen160\/struts-pwn_CVE-2018-11776<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today, the Apache Software Foundation announced a critical remote code execution (RCE) vulnerability in Apache Struts. Whether this RCE attack can be performed depends on the configuration for namespaces. Affected are situations were namespace is not set or a wildcard is used.<\/p>\n","protected":false},"author":29,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[64],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Apache Struts Vulnerability - sectest.team<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"\/security-alert\/apache-struts-vulnerability\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Apache Struts Vulnerability\" \/>\n<meta property=\"og:description\" content=\"Today, the Apache Software Foundation announced a critical remote code execution (RCE) vulnerability in Apache Struts. Whether this RCE attack can be performed depends on the configuration for namespaces. Affected are situations were namespace is not set or a wildcard is used.\" \/>\n<meta property=\"og:url\" content=\"\/security-alert\/apache-struts-vulnerability\/\" \/>\n<meta property=\"og:site_name\" content=\"sectest.team\" \/>\n<meta property=\"article:published_time\" content=\"2018-08-30T09:03:39+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-03-11T10:04:33+00:00\" \/>\n<meta name=\"author\" content=\"Tuyen Nguyen\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tuyen Nguyen\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"1\u00a0Minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"\/security-alert\/apache-struts-vulnerability\/\",\"url\":\"https:\/\/sectest.hostpress.me\/security-alert\/apache-struts-vulnerability\/\",\"name\":\"[:en]Apache Struts Vulnerability[:] - sectest.team\",\"isPartOf\":{\"@id\":\"https:\/\/sectest.hostpress.me\/#website\"},\"datePublished\":\"2018-08-30T09:03:39+00:00\",\"dateModified\":\"2019-03-11T10:04:33+00:00\",\"author\":{\"@id\":\"https:\/\/sectest.hostpress.me\/#\/schema\/person\/ac34e9ab3a597646eb101a26405d2c28\"},\"breadcrumb\":{\"@id\":\"https:\/\/sectest.hostpress.me\/security-alert\/apache-struts-vulnerability\/#breadcrumb\"},\"inLanguage\":\"de-DE\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/sectest.hostpress.me\/security-alert\/apache-struts-vulnerability\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/sectest.hostpress.me\/security-alert\/apache-struts-vulnerability\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"\/de\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Apache Struts Vulnerability\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/sectest.hostpress.me\/#website\",\"url\":\"https:\/\/sectest.hostpress.me\/\",\"name\":\"sectest.team\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/sectest.hostpress.me\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"de-DE\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/sectest.hostpress.me\/#\/schema\/person\/ac34e9ab3a597646eb101a26405d2c28\",\"name\":\"Tuyen Nguyen\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de-DE\",\"@id\":\"https:\/\/sectest.hostpress.me\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ebe0b5655ad033f17aac019256490ba4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ebe0b5655ad033f17aac019256490ba4?s=96&d=mm&r=g\",\"caption\":\"Tuyen Nguyen\"},\"url\":\"\/de\/security-alert\/author\/tutnguyen\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Apache Struts Vulnerability - sectest.team","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sectest.hostpress.me\/security-alert\/apache-struts-vulnerability\/","og_locale":"de_DE","og_type":"article","og_title":"[:en]Apache Struts Vulnerability[:] - sectest.team","og_description":"[:en]Today, the Apache Software Foundation announced a critical remote code execution (RCE) vulnerability in Apache Struts. Whether this RCE attack can be performed depends on the configuration for namespaces. Affected are situations were namespace is not set or a wildcard is used.[:]","og_url":"\/security-alert\/apache-struts-vulnerability\/","og_site_name":"sectest.team","article_published_time":"2018-08-30T09:03:39+00:00","article_modified_time":"2019-03-11T10:04:33+00:00","author":"Tuyen Nguyen","twitter_misc":{"Verfasst von":"Tuyen Nguyen","Gesch\u00e4tzte Lesezeit":"1\u00a0Minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"\/security-alert\/apache-struts-vulnerability\/","url":"https:\/\/sectest.hostpress.me\/security-alert\/apache-struts-vulnerability\/","name":"[:en]Apache Struts Vulnerability[:] - sectest.team","isPartOf":{"@id":"https:\/\/sectest.hostpress.me\/#website"},"datePublished":"2018-08-30T09:03:39+00:00","dateModified":"2019-03-11T10:04:33+00:00","author":{"@id":"https:\/\/sectest.hostpress.me\/#\/schema\/person\/ac34e9ab3a597646eb101a26405d2c28"},"breadcrumb":{"@id":"https:\/\/sectest.hostpress.me\/security-alert\/apache-struts-vulnerability\/#breadcrumb"},"inLanguage":"de-DE","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sectest.hostpress.me\/security-alert\/apache-struts-vulnerability\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/sectest.hostpress.me\/security-alert\/apache-struts-vulnerability\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"\/de\/"},{"@type":"ListItem","position":2,"name":"Apache Struts Vulnerability"}]},{"@type":"WebSite","@id":"https:\/\/sectest.hostpress.me\/#website","url":"https:\/\/sectest.hostpress.me\/","name":"sectest.team","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sectest.hostpress.me\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"de-DE"},{"@type":"Person","@id":"https:\/\/sectest.hostpress.me\/#\/schema\/person\/ac34e9ab3a597646eb101a26405d2c28","name":"Tuyen Nguyen","image":{"@type":"ImageObject","inLanguage":"de-DE","@id":"https:\/\/sectest.hostpress.me\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/ebe0b5655ad033f17aac019256490ba4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ebe0b5655ad033f17aac019256490ba4?s=96&d=mm&r=g","caption":"Tuyen Nguyen"},"url":"\/de\/security-alert\/author\/tutnguyen\/"}]}},"_links":{"self":[{"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/posts\/14327"}],"collection":[{"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/comments?post=14327"}],"version-history":[{"count":2,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/posts\/14327\/revisions"}],"predecessor-version":[{"id":14329,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/posts\/14327\/revisions\/14329"}],"wp:attachment":[{"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/media?parent=14327"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/categories?post=14327"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/tags?post=14327"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}