Apache has recently patched a critical vulnerability that affects all versions of Apache Struts 2. CVE-2018-11776 affects commonly used endpoints of Struts. The endpoints are likely to be exposed which opens an attack vector for attackers. The “weakness” is linked to the Struts OGNL language, which is known to have been exploited in the past. Researchers claim that, “if the alwaysSelectFullNamespace flag is set to true in the Struts configuration, which is automatically the case when the Struts Convention plugin is in use, or if a user’s Struts configuration file contains a tag that does not specify the optional namespace attribute or specifies a wildcard namespace, it is likely the build is vulnerable to attack.” For companies that use the open source framework, they are advised to update their builds as soon as possible. For users using Struts 2.3, it is recommended to update to 2.3.35 and for users using 2.5, it is recommended to upgrade to 2.5.17. The vulnerability was first discovered in April of this year and an official patch was released on August 22nd.
Apache Patches Critical Security Vulnerability
August 30, 2018