Description
Crowd used a version of Struts 2 that was vulnerable to [CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd.
Affected versions:
Fix:
Hotfix:
The preferred fix is to upgrade Crowd to a version that’s not vulnerable (see the Fix section). If you cannot schedule an upgrade immediately, and are using Crowd 2.10 or 2.11, you can replace the affected library as a temporary workaround.
To replace the library:
{code}
./crowd-openidclient-webapp/WEB-INF/lib/struts2-core-2.3.29.jar
./crowd-openidserver-webapp/WEB-INF/lib/struts2-core-2.3.29.jar
./crowd-webapp/WEB-INF/lib/struts2-core-2.3.29.jar
./demo-webapp/WEB-INF/lib/struts2-core-2.3.29.jar
{code}
This temporary solution is provided only for your convenience and an upgrade to an official Crowd release should be scheduled as soon as possible.
For additional details see the [full advisory|https://confluence.atlassian.com/crowd/crowd-security-advisory-2017-03-10-876857916.html].