Data: CASIE
Negative Trigger
in
the
core
infrastructure
of
Apache
Struts
2
.
The
Apache
Software
Foundation
has patched
Vulnerability-related.PatchVulnerability
a
critical
security
vulnerability
which
affects
Vulnerability-related.DiscoverVulnerability
all
versions
of
Apache
Struts
2
.
Uncovered
Vulnerability-related.DiscoverVulnerability
by
researchers
from
cybersecurity
firm
Semmle
,
the
security
flaw
is
caused
by
the
insufficient
validation
of
untrusted
user
data
in
the
core
Struts
framework
.
When
Apache
Struts
uses
results
with
no
namespace
and
in
the
same
time
,
upper
actions
have
no
wild
namespace
.
The
same
opportunity
for
exploit
exists
when
the
URL
tag
is
in
use
and
there
is
no
value
or
action
set
.
As
the
bug
,
CVE-2018-11776
,
has been discovered
Vulnerability-related.DiscoverVulnerability
in
the
Struts
core
,
the
team
says
there
are
multiple
attack
vectors
threat
actors
could
use
to
exploit
the
vulnerability
.
If
the
alwaysSelectFullNamespace
flag
is
set
to
true
in
the
Struts
configuration
,
which
is
automatically
the
case
when
the
Struts
Convention
plugin
is
in
use
,
or
if
a
user
's
Struts
configuration
file
contains
a
tag
that
does
not
specify
the
optional
namespace
attribute
or
specifies
a
wildcard
namespace
.
Man
Yue
Mo
from
the
Semmle
Security
Research
Team
first
reported
Vulnerability-related.DiscoverVulnerability
the
flaw
.
``
This
vulnerability
affects
Vulnerability-related.DiscoverVulnerability
commonly-used
endpoints
of
Struts
,
which
are
likely
to
be
exposed
,
opening
up
an
attack
vector
to
malicious
hackers
,
''
Mo
says
Vulnerability-related.DiscoverVulnerability
.
``
On
top
of
that
,
the
weakness
is
related
to
the
Struts
OGNL
language
,
which
hackers
are
very
familiar
with
,
and
are
known
to
have
been exploited
Vulnerability-related.DiscoverVulnerability
in
the
past
.
''
The
vulnerability
affects
Vulnerability-related.DiscoverVulnerability
all
versions
of
Apache
Struts
2
.
Companies
which
use
the
popular
open-source
framework
are
urged
to
update
their
builds
immediately
.
Users
of
Struts
2.3
are
advised
to
upgrade
Vulnerability-related.PatchVulnerability
to
2.3.35
;
users
of
Struts
2.5
need
to
upgrade
Vulnerability-related.PatchVulnerability
to
2.5.17
.
As
the
latest
releases
only
contain
Vulnerability-related.PatchVulnerability
fixes
for
the
vulnerability
,
Apache
does
not
expect
users
to
experience
any
backward
compatibility
issues
.
``
Previous
disclosures
Vulnerability-related.DiscoverVulnerability
of
similarly
critical
vulnerabilities
have
resulted
in
exploits
being published
Vulnerability-related.DiscoverVulnerability
within
a
day
,
putting
critical
infrastructure
and
customer
data
at
risk
,
''
Semmle
says
.
``
All
applications
that
use
Struts
are
potentially
vulnerable
Vulnerability-related.DiscoverVulnerability
,
even
when
no
additional
plugins
have
been
enabled
.
''
Mo
first
reported
Vulnerability-related.DiscoverVulnerability
the
findings
in
April
.
By
June
,
the
Apache
Struts
team
published
the
code
which
resolved
Vulnerability-related.PatchVulnerability
the
problem
,
leading
to
the release
Vulnerability-related.PatchVulnerability
of
official
patches
on
August
22
.