Struts2 then exposed a remote code execution vulnerability S2-0 3 7 (CVE-2 0 1 6-4 4 3 8-a vulnerability warning-the black bar safety net

2016-06-16T00:00:00
ID MYHACK58:62201675946
Type myhack58
Reporter 佚名
Modified 2016-06-16T00:00:00

Description

! This year 4 month, Apache Struts 2 above found that the S2-0 3 3 remote code execution vulnerabilities, with lightning speed swept. Its use of code very quickly in a short period of time quickly spread. And official for this high-risk vulnerabilities repair program or invalid. The tragic thing today again happened, this time found that the Struts 2 new vulnerabilities number of CVE-2 0 1 6-4 4 3 8 in. This is also a very serious remote code execution vulnerability: using the REST Plug-In of users will encounter this problem. About the vulnerability details are as follows: Apache Struts 2 S2-0 3 7 remote code execution Vulnerability ID: CVE-2 0 1 6-4 4 3 8 Vulnerability hazards: cause remote code execution Vulnerability rating: high risk Affected versions: Apache struts 2.3.20 - 2.3.28.1 version using the REST Plug-In of the user Solution: add cleanupActionName be filtered or updated to the official struts2. 3. 2 9 ! FreeBuf Wikipedia: Struts 2 Apache Struts 2 is the world's most popular Java Web serverframework, is one of the Struts of the replacement products: in the Struts 1 and WebWork technology based on the be combined to produce a new Struts 2 framework. The Struts 2 architecture and Struts 1 architecture the difference is huge. Struts 2 with WebWork as the core, using the interceptor mechanism to deal with user's request, such design also makes the business logic controller to communicate with ServletAPI completely out of the opening, so Struts 2 can be understood as the WebWork of update products. Although from Struts 1 to Struts 2 has changed much, but relative to WebWork, Struts 2 little change. myhack58 will continue to track reported the vulnerability details and subsequent developments, please attention.

Online detection

The current network of rattan risk perception systemcvs.vulbox.com has support for the vulnerability detection. You canapplytrial network vine vulnerability perception of the service.