Go to the text

[SBT Vulnerability Investigation Report] Investigation report on vulnerability (CVE-2018-11776) (S2-057) released

~ Verifying the reproducibility of a vulnerability in Apache Struts 2 that allows remote execution of arbitrary code ~


SoftBank Technology Corp.

SoftBank Technology Corp. (Headquarters: Shinjuku-ku, Tokyo, President and CEO: Shinichi Ata, hereinafter referred to as SBT) has verified the reproducibility of attacks using vulnerability CVE-2018-11776 and released a research report. I'll let you know that I did.

Regarding the vulnerability in question, as of August 27, 2018 at the time of writing this report, a version (dated August 22, 2018) in which this vulnerability was fixed has already been released by the Apache Software Foundation. Because it is easy to attack, the attack code has been made public, and the impact on the system is large when attacked, our security research group has identified this as a critical vulnerability and verified its reproducibility. Ta.

【overview】

A vulnerability (CVE-2018-11776) (S2-057) that allows remote execution of arbitrary code and attack code that exploits this vulnerability have been discovered in Apache Struts 2. The vulnerability lies in a flaw in the way the core Struts framework handles data validation, when alwaysSelectFullNamespace is set to true, or when the struts configuration file contains an action or url tag with a wildcard namespace. affected by the case.
If an attack that exploits this vulnerability is successful, there is a risk that arbitrary code could be executed remotely with execution privileges on the web application server where Apache Struts 2 is installed.

[Systems that may be affected]

- Apache Struts versions from 2.3 to 2.3.34
- Apache Struts versions from 2.5 to 2.5.16

Unsupported versions of Struts other than those listed above may also be affected by the vulnerability.

[Countermeasures]

At the time of writing this report (August 27, 2018), the Apache Software Foundation has released a version that fixes this vulnerability. We recommend that you upgrade to a version that fixes the vulnerability.

[How to check the version]

Search for the .jar file under /WEB-INF/lib on the web application server where Apache Struts 2 is installed. struts2-core- displayed as search results2.xxx.jar's ``2.xxx” is the version information.
Also, struts2-core-2.xxxYou can also check the Apache Struts 2 version information by referring to the line starting with Bundle-Version for MANIFEST.MF included in the .jar file.

Contact information for inquiries from media regarding this matter

○ SoftBank Technology Corp. Corporate Planning Department Corporate Communication Group
Email: sbt-pr@tech.softbank.co.jp