Apache Struts undefined namespace vulnerability

2018-09-05T00:00:00
ID SAINT:8F4CF211E89B7CA1DE2C8EBB87C3C1AD
Type saint
Reporter SAINT Corporation
Modified 2018-09-05T00:00:00

Description

Added: 09/05/2018
BID: 105125

Background

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.

Problem

A remote attacker can execute arbitrary commands on the server when a Struts action has an undefined namespace.

Resolution

Upgrade to Struts 2.3.35 or 2.5.17 or higher.

References

<https://cwiki.apache.org/confluence/display/WW/S2-057>
<https://github.com/jas502n/St2-057>