Apache Struts Remote Code Execution Vulnerability (CVE-2018-11776)

On This Page

Security Alerts

June 18, 2020

Jun 18
Vulnerability in iOS Mail App

March 24, 2020

Mar 24
Windows Zero-Day Exploit: Type 1 Font Parsing Remote Code Execution Vulnerability

March 13, 2020

Mar 13
Patch IMMEDIATELY – Microsoft SMBv3 Compression - Wormable RCE Vulnerability - CVE-2020-0796

January 14, 2020

Jan 14
Patch IMMEDIATELY! - Microsoft Remote Desktop Gateway Remote Code Execution Vulnerability (CVE-2020-0610)
Jan 14
Patch IMMEDIATELY! - Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
News Archive
August 23, 2018
Josh Kwan

Summary

A critical remote code execution vulnerability has been discovered in Apache Struts, a popular open source framework for developing web applications in the Java programming language. [1] In the past, Apache Struts RCE vulnerabilities have been weaponized in less than 24 hours -- one of which resulted in the Equifax breach that totaled over $600 million in cost. [2]

It is recommended that you upgrade immediately if you are using Apache Struts, or contact your vendor if you manage vendor applications that rely on Apache Struts.

Impact

Attackers may be able to remotely execute arbitrary code against vulnerable Apache Struts installations. [1]

Vulnerable

  • Apache Struts 2.3 through 2.3.34
  • Apache Struts 2.5 through 2.5.16
  • Unsupported (end-of-life) versions of Apache Struts may also be vulnerable [1]

Recommendations

  • Upgrade immediately to Apache Struts 2.3.35 or 2.5.17
  • Contact your vendor for security patches if you manage vendor applications that utilize Apache Struts

References

[1] https://cwiki.apache.org/confluence/display/WW/S2-057

[2] https://semmle.com/news/apache-struts-CVE-2018-11776

[3] https://nvd.nist.gov/vuln/detail/CVE-2018-11776