Struts 2 vulnerability

Have been notified of a Struts 2 vulnerability.  Has anyone run into this or have any info?

  • Stat 5.8.0 Hf-c and 5.8.1 HF-e, 6.0 and 6.1 include Struts 2.3.32. Below is a list of vulnerability fixes that were included in Struts 2.3.33 and Struts 2.3.34:

    •S2-048 — Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series

                   Stat does not have Struts1 plugin

    •S2-049 — A DoS attack is available for Spring secured actions

                   That refers to Spring AOP that is not used by Stat

    •S2-050 — A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047)

                   Stat does not use URLValidator

    •S2-051 — A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin

                   Stat does not use Struts REST plugin

    •S2-052 — Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads

                   Stat does not use Struts REST plugin

    •S2-053 — A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals"

                   Stat does not use vulnerable Freemarker tag

    For more info on Struts2 latest patches you may refer to:

    and

    Of course, if you get info related to new Struts vulnerability, please immediately let support know. Thank you.

  • In reply to Nanci.Chau:

    Hi Nanci,

    That for this information, even though you provided those explanations, the folks in our Security organization are asking why is Stat still using version Stuts 2.3.32???
    Let me know.

    Thanks.
    Tom Shaw
  • In reply to tom_shaw:

    We are 2 minor versions behind. Usually if there is no major feature that we need, we don’t upgrade. Of course if there is a vulnerability issue, then we definitely upgrade.