The Apache Software Foundation has issued a security update for a critical remote code execution (RCE) vulnerability (CVE-2018-11776) in Apache Struts 2.
Summary of the Struts RCE bug:
“It is possible to perform a RCE attack when namespace value isn’t set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.”
Affected software includes: Struts 2.3 – Struts 2.3.34 and Struts 2.5 – Struts 2.5.16.
Users and administrators are highly encouraged to review the Apache Security Bulletin S2-057 for more details and upgrade to Struts 2.3.35 or Struts 2.5.17.