cv-announce-l@list.iu.edu
Subject: cv alerts list
List archive
[cv-announce-l] Apache Struts 2 Vulnerabilities (CVE-2017-7525 & CVE-2017-15707)
Chronological Thread
- From: Andrew K Adams <akadams@psc.edu>
- To: cv-announce@trustedci.org
- Subject: [cv-announce-l] Apache Struts 2 Vulnerabilities (CVE-2017-7525 & CVE-2017-15707)
- Date: Fri, 8 Dec 2017 11:10:34 -0500
CI Operators and CI Developers
Two vulnerabilities [1][2] have been reported with the Apache Struts framework [3][4] that affect versions before 2.5.14.1 when used with the REST plugin.
Summary:
A malicious actor can exploit the more severe of the two vulnerabilities by submitting a specially crafted JSON packet. Once processed by the REST plugin, the actor may be able to execute arbitrary code in the context of the application. Versions of Struts before 2.5.14.1 are affected.
Recommendations:
Upgrade to 2.5.14.1.
References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15707
[3] https://cwiki.apache.org/confluence/display/WW/S2-054
[4] https://cwiki.apache.org/confluence/display/WW/S2-055
How CTSC can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. CTSC can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.
- [cv-announce-l] Apache Struts 2 Vulnerabilities (CVE-2017-7525 & CVE-2017-15707), Andrew K Adams, 12/08/2017
Archive powered by MHonArc 2.6.24.