It is possible to perform a RCE attack when the namespace value isn’t set for a result defined in underlying xml configurations and in the same time, its upper action(s) configurations have no or wildcard namespace. The Same possibility when using the url tag which doesn’t have value and action set and in the same time, its upper action(s) configurations have no or wildcard namespace. – Apache Struts2 Team
2018 8 May 23, Apache Strust2 released the latest security Bulletin, the Apache Struts2 there is a remote code execution of high-risk vulnerability by Semmle Security Research team of security researchers reporting vulnerabilities number of CVE-2018-11776(S2-057 in. Struts2 in XML configuration, if the namespace value is not set and the Action Configuration is not set or wildcard namespace may lead to remote code execution.
0x01 vulnerability affect
Affect
Determining CVE-2018-11776 as a high-risk vulnerability.
The actual scene there are some limitations that need to meet certain conditions.
Impact version
Struts 2.3 to 2.3.34
The Struts 2.5 to 2.5.16
Fix version
The Struts 2.3.35
The Struts 2.5.17
0x02 vulnerability verification
! [](/Article/UploadPic/2018-8/2018823153240150. png)
Incoming OGNL expression${2333+2333}
! [](/Article/UploadPic/2018-8/2018823153240244. png)
Success with the execution of the function, and perform
! [](/Article/UploadPic/2018-8/2018823153240318. png)
Returns the result to the URL
0x03 repair recommendations
The official recommended to upgrade the Struts to 2. 3. 35 version or 2. 5. 17 version
The updated version there are no compatibility issues
0x04 timeline
2018-08-22 vulnerability disclosure
2018-08-22 360CERT publish early warning analysis advertisement