A severe vulnerability has been detected in Apache Struts 2 framework. The vulnerability allows for full remote code execution and is actively being exploited in the wild.
The UBC Cybersecurity team has been in contact with all known owners of applications relying on Apache Struts. If you are responsible for an application that uses the Struts framework and have not been contacted by us, please email Aaron Heck (aaron.heck@ubc.ca) immediately.
Severity
- Critical
CVE Number
- CVE-2018-11776
Impacted Platforms
- Apache Struts 2.3 – Struts 2.3.34, Struts 2.5 – Struts 2.5.16
- Unsupported Struts versions (ie: all versions < 2.3) may also be affected
Recommended Actions
- Upgrade to Struts 2.3.35 or Struts 2.5.17
- Contact security@ubc.ca if you have any questions
- Regularly check Apache Struts Security Bulletins (https://cwiki.apache.org/confluence/display/WW/Security+Bulletins)
More information
- https://nvd.nist.gov/vuln/detail/CVE-2018-11776
- https://semmle.com/news/apache-struts-CVE-2018-11776
- https://cwiki.apache.org/confluence/display/WW/S2-057
- https://www.securityweek.com/critical-apache-struts-2-flaw-allows-remote-code-execution
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776