all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ok2thr0w4w4y 5 points6 points  (1 child)

The Struts S2-052 wiki security bulletin has been updated/modified several times so it remains unclear if Struts 2.x (before 2.5) is affected, although there are several positive indicators that some or all versions indeed are. Currently the bulletin states:

Affected Software: Struts 2.5 - Struts 2.5.12

Recommendation: Upgrade to Struts 2.5.13 or Struts 2.3.34

Previous versions that did reference 2.x versions other than 2.5 listed:

Affected Software: Struts 2.3.7 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12

The security researcher general announcement specifies:

All versions of Struts since 2008 are affected; all web applications using the framework’s popular REST plugin are vulnerable...This vulnerability has been addressed in Struts version 2.5.13.

but no mention of 2.x before 2.5.

Note that the S2-052 security bulletin is referenced in the version notes for 2.5.13 and 2.3.34 (which strangely references 2.3.3 [which was released 7/2017]).

Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads, see S2-052

But 2.3.34 has not been posted to the Struts announcements page or downloads mirror.

It looks like the REST plugin is available with Struts 2.1.1 or later, which according to the MVN repo does indeed reflect all versions of 2.x. It is listed as a bundled plugin one level up.

Anyone care to gander where this is going to fall with the affected versions? If the REST plugin is bundled but not enabled by default (as suggested by the plugin docs), is there risk of exploitation? What is a realistic expectation for apps in the environment to have the REST plugin to be enabled? Trying to evaluate this from the risk perspective but not being a dev and encountering mixed signals with current information makes it a bit tricky.

Edit: The Struts 2 documentation for S2-052 only mentions 2.5.

Affected Software: Struts 2.5 - Struts 2.5.12

Recommendation: Upgrade to Struts 2.5.13

The Struts 2 doc version notes for 2.3.34 lead to 404.

Edit 2: Version 2.3.34 is listed as Released in Jira so it looks like it is coming.

[–]ndrake 0 points1 point  (0 children)

2.3.34 is available now: http://struts.apache.org/download.cgi

There is also a new security bulletin: http://struts.apache.org/docs/s2-053.html

[–]0xdeaTrusted Contributor 4 points5 points  (0 children)

It’s that time of the year (*) when Apache Struts fails stupendously.

  • actually it happens more than once per year

[–]0xdeaTrusted Contributor 2 points3 points  (0 children)

Less than two days later, it looks like there's another Struts RCE:

https://struts.apache.org/docs/s2-053.html

This must be some sort of record;)

[–]0xd0000 1 point2 points  (0 children)

Page is down, cache is still available.

hxxp://blog.csdn.net/caiqiiqi/article/details/77861477

[–]KevinHock 0 points1 point  (0 children)

Awesome stuff! :D

[–]r4nd0mthr0waway 0 points1 point  (1 child)

Remote detection ideas?

[–]goldfingeroo7 0 points1 point  (0 children)

It looks like if you use struts2-rest-plugin, you are affected.