Have been notified of a Struts 2 vulnerability. Has anyone run into this or have any info?
Stat 5.8.0 Hf-c and 5.8.1 HF-e, 6.0 and 6.1 include Struts 2.3.32. Below is a list of vulnerability fixes that were included in Struts 2.3.33 and Struts 2.3.34:
•S2-048 — Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series
Stat does not have Struts1 plugin
•S2-049 — A DoS attack is available for Spring secured actions
That refers to Spring AOP that is not used by Stat
•S2-050 — A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047)
Stat does not use URLValidator
•S2-051 — A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin
Stat does not use Struts REST plugin
•S2-052 — Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads
•S2-053 — A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals"
Stat does not use vulnerable Freemarker tag
For more info on Struts2 latest patches you may refer to:
Of course, if you get info related to new Struts vulnerability, please immediately let support know. Thank you.
In reply to Nanci.Chau:
In reply to tom_shaw: