• Welcome to KonaKart Community Forum. Please login or sign up.
 
February 20, 2019, 08:21:39 am

News:

KonaKart v8.9 - Released Aug-2018 - see KonaKart website for details


Struts vulnerability CVE-2018-11776

Started by Andreas, August 25, 2018, 10:37:02 am

Previous topic - Next topic

Andreas

Hi,

is KonaKart affected by this vulnerability, i am using 8.8.0.0 at the moment. And what is with 8.8.0.1 and 8.9.0.0?

https://cwiki.apache.org/confluence/display/WW/S2-057

Thanks
Andy

Brian

As far as we are aware KonaKart is not vulnerable to this.

Some background:

CVE-2018-11776 was announced on 22/08/2018. Details were published ( https://semmle.com/news/apache-struts-CVE-2018-11776 ) by Semmle who found the vulnerability. It's a critical vulnerability because it involves remote code execution.

To determine whether you are vulnerable, here's a snippet from the above link:

For your application to be vulnerable to the attack vectors described below, both of the following conditions should hold:

  • The alwaysSelectFullNamespace flag is set to true in the Struts configuration. Note that this is automatically the case if your application uses the popular Struts Convention plugin.
  • Your application's Struts configuration file contains an <action ...> tag that does not specify the optional namespace attribute, or specifies a wildcard namespace (e.g. "/*")
    If your application's configuration does not meet these two conditions, you are likely not vulnerable to the two attack vectors described below.



In the standard KonaKart Struts storefront,  "alwaysSelectFullNamespace" is set to false because it hasn't been set to true in struts.xml and  the Convention plugin isn't used by KonaKart. Therefore, as far as we are aware the "out of the box" implementation should not be vulnerable. It may be wise to check your struts.xml file to determine whether the following line has been added, which would make you vulnerable:

<constant name="struts.mapper.alwaysSelectFullNamespace" value="true" />


Andreas

Thanks for the fast reply. That was my guess, but i wanted to go for sure.