Skip to Content.
Sympa Menu

cv-announce-l - [cv-announce-l] Apache Struts 2 Vulnerability (CVE-2017-9805)

Please Wait...

cv-announce-l@list.iu.edu

Subject: cv alerts list

List archive

[cv-announce-l] Apache Struts 2 Vulnerability (CVE-2017-9805)


Chronological Thread  
  • From: Warren Raquel <wraquel@illinois.edu>
  • To: <cv-announce@trustedci.org>
  • Subject: [cv-announce-l] Apache Struts 2 Vulnerability (CVE-2017-9805)
  • Date: Wed, 6 Sep 2017 17:37:27 -0500
  • Organization: National Center for Supercomputing Applications

CI Operators and CI Developers

A critical vulnerability [1] has been identified in the Apache Struts
framework [2], versions 2.5 to 2.5.12, that when used with the REST plugin
[3] can allow for remote code execution.

Impact:
A malicious actor can execute arbitrary code on any server running an
application built using the Struts framework and the REST communication
plugin, due to a flaw in the way the XStream handler deserializes XML
requests.

Affected Software:
Apache Struts 2.5 - 2.5.12 (when used with the REST plugin)

Mitigation/Remediation:
Upgrade Struts to version 2.5.13.

Recommendations:
We recommend patching as soon as possible and most certainly within your next
maintenance cycle. Focus on systems that have shared access with untrusted
users and/or processes.

References:
[1]
https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/
[2] https://struts.apache.org/docs/s2-052.html
[3] http://struts.apache.org/docs/rest-plugin.html

How CTSC can help:
The potential impact of any vulnerability, and therefore the appropriate
response, depends in part on operational conditions that are unique to each
cyberinfrastructure deployment. CTSC can not provide a one-size-fits-all
severity rating and response recommendation for all NSF cyberinfrastructure.
Please contact us (http://trustedci.org/help/) if you need assistance with
assessing the potential impact of this vulnerability in your environment
and/or you have additional information about this issue that should be shared
with the community.

Attachment: signature.asc
Description: OpenPGP digital signature



  • [cv-announce-l] Apache Struts 2 Vulnerability (CVE-2017-9805), Warren Raquel, 09/06/2017

Archive powered by MHonArc 2.6.24.

Top of Page