• State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 13 subscribers
  • Views 5561 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Struts 2 vulnerability

balderdash
over 6 years ago

Have been notified of a Struts 2 vulnerability.  Has anyone run into this or have any info?

Parents
  • 0 over 6 years ago

    Stat 5.8.0 Hf-c and 5.8.1 HF-e, 6.0 and 6.1 include Struts 2.3.32. Below is a list of vulnerability fixes that were included in Struts 2.3.33 and Struts 2.3.34:

    •S2-048 — Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series

                   Stat does not have Struts1 plugin

    •S2-049 — A DoS attack is available for Spring secured actions

                   That refers to Spring AOP that is not used by Stat

    •S2-050 — A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047)

                   Stat does not use URLValidator

    •S2-051 — A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin

                   Stat does not use Struts REST plugin

    •S2-052 — Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads

                   Stat does not use Struts REST plugin

    •S2-053 — A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals"

                   Stat does not use vulnerable Freemarker tag

    For more info on Struts2 latest patches you may refer to:

    and

    Of course, if you get info related to new Struts vulnerability, please immediately let support know. Thank you.

Reply
  • 0 over 6 years ago

    Stat 5.8.0 Hf-c and 5.8.1 HF-e, 6.0 and 6.1 include Struts 2.3.32. Below is a list of vulnerability fixes that were included in Struts 2.3.33 and Struts 2.3.34:

    •S2-048 — Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series

                   Stat does not have Struts1 plugin

    •S2-049 — A DoS attack is available for Spring secured actions

                   That refers to Spring AOP that is not used by Stat

    •S2-050 — A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047)

                   Stat does not use URLValidator

    •S2-051 — A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin

                   Stat does not use Struts REST plugin

    •S2-052 — Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads

                   Stat does not use Struts REST plugin

    •S2-053 — A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals"

                   Stat does not use vulnerable Freemarker tag

    For more info on Struts2 latest patches you may refer to:

    and

    Of course, if you get info related to new Struts vulnerability, please immediately let support know. Thank you.

Children
No Data