New: Aug. 22, 2018

There is a critical vulnerability in the Apache Struts component. Struts is used as a development framework for the web presentation layer service in many applications. The vulnerability allows for remote code execution on a successful exploit over the network via unauthenticated access.

Recommendations:

  1. Take inventory of applications that may have Struts 2 integrated, check for patches upgrades for those products.
  2. Upgrade internal development products/services using Struts 2 software immediately.

Update Locations:

Struts v-2.3: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.35

Struts v-2.5: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.17

References:

https://semmle.com/news/apache-struts-CVE-2018-11776

https://www.zdnet.com/article/critical-remote-code-execution-flaw-in-apache-struts-exposes-the-enterprise-to-attack/