Apache Struts vulnerability in the eDiscovery Platform

Apache Struts vulnerability in the eDiscovery Platform - CVE-2018-11776

book

Article ID: 100044097

calendar_today

Updated On:

Description

Error Message

Security scanners may report this issue as a critical severity vulnerability for Apache Struts packages used in the eDiscovery Platform

Cause

The affected versions noted above suffer from possible Remote Code Execution when using results with no namespace and, at the same time, its upper action(s) specify no namespace or use a wildcard namespace.

The conditions required for this vulnerability to exist are:

1. The alwaysSelectFullNamespace flag is set to true in the Struts configuration.

2 The application uses result, action, url tags that are configured without specifying a namespace, or with a wildcard namespace (e.g. “/*”).

(Refer: https://semmle.com/news/apache-struts-CVE-2018-11776 )

Resolution

These two conditions are only possible in the Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 and, therefore, the eDiscovery Platform using Apache Struts version 1.2.x is unaffected by CVE-2018-11776.

Issue/Introduction

Apache Struts version 2.3 to 2.3.34 and 2.5 to 2.5.16 contain a possible Remote Code Execution (RCE) vulnerability, identified as CVE-2018-11776

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"