Medium Security Advisory (CVSS score of 5.8) for Struts 18.104.22.168 Users
On October 15, 2013, the Apache Struts group announced a new version of Struts was being made generally available, 22.214.171.124. This new version was released to fix another aspect of the previously reported vulnerability that was originally made public in the National Vulnerability Database on September 30th, CVE-2013-4310 and affecting all versions prior to 126.96.36.199.
Once again given the widespread usage of Struts and the high CVSS exploitability score (8.6 out of 10) it is critical for organizations to migrate to the latest version as soon as possible. This vulnerability can allow immediate, unauthenticated remote code execution and simply takes advantage of a previous security vulnerability, first fixed in 188.8.131.52, in a new way. Although we have not heard of any reported security incidents, unlike the previous issues, the recent popularity of Struts as a valid attack vector will no doubt bring renewed attacks and make its way into the latest exploit kits leveraged in the wild.
This disclosure once again highlights the importance of understanding and maintaining an inventory of all our applications and a complete bill of materials to take advantage of these disclosures as efficiently and quickly as possible.
For more details related to the Apache release, please click here.
Information related to the reported CVE can be found here. (It is IMPORTANT to note that although the CVE reports that the issue was fixed in 184.108.40.206 another form of this same attack was not fixed until 220.127.116.11.)
If you are uncertain if, our where, you are using these vulnerable components, contact Sonatype for a complimentary Application Health Check and Bill of Materials.
Next Steps to Manage your Vulnerability
|Register for Sonatype Advisories.|
|Request assistance with the Struts vulnerability.|
|Learn more about the Apache release.|
|Review all advisories.|