Hi Roland, We got a new Struts vulnerability ticket from NASA. #23037: High Vulnerability: Apache Struts 2.0.0 < 2.5.30 Possible Remote Code Execution vulnerability (S2-062) (159667) Path : /usr/local/tomcat/webapps/EarthSystemLAS/WEB-INF/lib/struts2-core-2.5.26.jar Installed version : 2.5.26 Fixed version : 2.5.30 Let me know if you can create a new version for us. Or let us know how we upgrade to the new struts version. --Bryan Description: The version of Apache Struts installed on the remote host is prior to 2.5.30. It is, therefore, affected by a vulnerability as referenced in the S2-062 advisory.- The fix issued for CVE-2020-17530 ( S2-061 ) was incomplete.
Still some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
(CVE-2021-31805) Solution: Upgrade to Apache Struts version 2.5.30 or later. Alternatively, apply the workaround as referenced in in the vendor's security bulletin See Also:
https://cwiki.apache.org/confluence/display/WW/S2-062 From: Roland Schweitzer - NOAA Affiliate <roland.schweitzer@xxxxxxxx>
Bryan, I built a tar file with the new library. I've tested it a bit. You can also just replace the library and recompile. Roland On Tue, Jan 12, 2021 at 10:46 PM Bryan Littlefield <bryan.littlefield@xxxxxxxxxx> wrote:
-- The policy of the DOC and NOAA requires me to inform you that the opinions in this email are mine and do not necessarily represent the opinion or policy of the Department of Commerce or the National Oceanic and Atmospheric Administration. |