====================================================================


                             CERT-Renater

                 Note d'Information No. 2018/VULN258
_____________________________________________________________________

DATE                : 31/08/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Struts versions 2.3, 2.5 prior to
                                     2.3.35, 2.5.17.

=====================================================================
https://cwiki.apache.org/confluence/display/WW/S2-057
_____________________________________________________________________

 S2-057

Summary
Possible Remote Code Execution when using results with no namespace and
in same time, its upper action(s) have no or wildcard namespace. Same
possibility when using url tag which doesn’t have value and action set.

Who should read this
	

All Struts 2 developers and users


Impact of vulnerability
	
Possible Remote Code Execution when using results with no namespace and
in same time, its upper action(s) have no or wildcard namespace. Same
possibility when using url tag which doesn’t have value and action set.


Maximum security rating
	
Critical


Recommendation
	
Upgrade to Struts 2.3.35 or Struts 2.5.17


Affected Software
	
Struts 2.3 - Struts 2.3.34, Struts 2.5 - Struts 2.5.16


Reporter
	
Man Yue Mo from the Semmle Security Research team


CVE Identifier
	
CVE-2018-11776


Problem

It is possible to perform a RCE attack when namespace value isn't set
for a result defined in underlying configurations and in same time, its
upper action(s) configurations have no or wildcard namespace. Same
possibility when using url tag which doesn’t have value and action set
and in same time, its upper action(s) configurations have no or wildcard
namespace.


Solution

Upgrade to Apache Struts version 2.3.35 or 2.5.17.
Backward compatibility

Both 2.3.35 and 2.5.17 versions contain the security fixes only, nothing
more. No backward incompatibility issues are expected.

We do get reports that in some cases backward compatibility issues can
occur, it is related to usage of ArrayList directly in conversion logic.
You should see a WARN in logs that the ArrayList is excluded. In such
case please define the below constant in your struts.xml

<constant name="struts.excludedPackageNames" value="
    ognl.,
    javax.,
    freemarker.core.,
    freemarker.template.,
    freemarker.ext.rhino.,
    sun.reflect.,
    javassist.,
    com.opensymphony.xwork2.ognl.,
    com.opensymphony.xwork2.security."
/>

We are working on a new release to fix that problem.


Workaround

This is a temporal weak workaround. Please upgrade to Apache Struts
version 2.3.35 or 2.5.17 ASAP because they also contain critical overall
proactive security improvements

Verify that you have set (and always not forgot to set) namespace (if is
applicable) for your all defined results in underlying configurations.
Also verify that you have set (and always not forgot to set) value or
action for all url tags in your JSPs. Both are needed only when their
upper action(s) configurations have no or wildcard namespace.


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================