cv-announce-l@list.iu.edu
Subject: cv alerts list
List archive
- From: Warren Raquel <wraquel@illinois.edu>
- To: <cv-announce@trustedci.org>
- Subject: [cv-announce-l] Apache Struts 2 Vulnerability (CVE-2017-9805)
- Date: Wed, 6 Sep 2017 17:37:27 -0500
- Organization: National Center for Supercomputing Applications
CI Operators and CI Developers
A critical vulnerability [1] has been identified in the Apache Struts
framework [2], versions 2.5 to 2.5.12, that when used with the REST plugin
[3] can allow for remote code execution.
Impact:
A malicious actor can execute arbitrary code on any server running an
application built using the Struts framework and the REST communication
plugin, due to a flaw in the way the XStream handler deserializes XML
requests.
Affected Software:
Apache Struts 2.5 - 2.5.12 (when used with the REST plugin)
Mitigation/Remediation:
Upgrade Struts to version 2.5.13.
Recommendations:
We recommend patching as soon as possible and most certainly within your next
maintenance cycle. Focus on systems that have shared access with untrusted
users and/or processes.
References:
[1]
https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/
[2] https://struts.apache.org/docs/s2-052.html
[3] http://struts.apache.org/docs/rest-plugin.html
How CTSC can help:
The potential impact of any vulnerability, and therefore the appropriate
response, depends in part on operational conditions that are unique to each
cyberinfrastructure deployment. CTSC can not provide a one-size-fits-all
severity rating and response recommendation for all NSF cyberinfrastructure.
Please contact us (http://trustedci.org/help/) if you need assistance with
assessing the potential impact of this vulnerability in your environment
and/or you have additional information about this issue that should be shared
with the community.
Attachment:
signature.asc
Description: OpenPGP digital signature
- [cv-announce-l] Apache Struts 2 Vulnerability (CVE-2017-9805), Warren Raquel, 09/06/2017
Archive powered by MHonArc 2.6.24.