Lucene search

K
atlassianAminozhenkoATLASSIAN:CWD-4879
HistoryMar 10, 2017 - 4:31 a.m.

Apache Struts 2 Remote Code Execution (CVE-2017-5638)

2017-03-1004:31:09
aminozhenko
jira.atlassian.com
768

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

Description
Crowd used a version of Struts 2 that was vulnerable to [CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd.

Affected versions:

  • All versions of Crowd from 2.8.3 before 2.9.7 (the fixed version for 2.9.x), from version 2.10.1 before 2.10.3 (the fixed version for 2.10.x) and from version 2.11.0 before 2.11.1 (the fixed version for 2.11.x) are affected by this vulnerability.

Fix:

Hotfix:
The preferred fix is to upgrade Crowd to a version that’s not vulnerable (see the Fix section). If you cannot schedule an upgrade immediately, and are using Crowd 2.10 or 2.11, you can replace the affected library as a temporary workaround.

To replace the library:

Stop Crowd

Download [struts2-core-2.3.32.jar|https://maven.atlassian.com/content/groups/public/org/apache/struts/struts2-core/2.3.32/struts2-core-2.3.32.jar]

Remove all existing copies of struts2-core-2.3.29.jar:

{code}
./crowd-openidclient-webapp/WEB-INF/lib/struts2-core-2.3.29.jar
./crowd-openidserver-webapp/WEB-INF/lib/struts2-core-2.3.29.jar
./crowd-webapp/WEB-INF/lib/struts2-core-2.3.29.jar
./demo-webapp/WEB-INF/lib/struts2-core-2.3.29.jar
{code}

Copy the downloaded struts2-core-2.3.32.jar into each of the lib/ directories you removed the jar from

Restart Crowd

This temporary solution is provided only for your convenience and an upgrade to an official Crowd release should be scheduled as soon as possible.

For additional details see the [full advisory|https://confluence.atlassian.com/crowd/crowd-security-advisory-2017-03-10-876857916.html].

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%