Author Topic: Struts vulnerability CVE-2018-11776  (Read 376 times)

Andreas

  • Jr. Member
  • **
  • Posts: 18
    • View Profile
Struts vulnerability CVE-2018-11776
« on: August 25, 2018, 12:37:02 AM »
Hi,

is KonaKart affected by this vulnerability, i am using 8.8.0.0 at the moment. And what is with 8.8.0.1 and 8.9.0.0?

https://cwiki.apache.org/confluence/display/WW/S2-057

Thanks
Andy

Brian

  • Administrator
  • Hero Member
  • *****
  • Posts: 271
    • View Profile
    • KonaKart Website
Re: Struts vulnerability CVE-2018-11776
« Reply #1 on: August 25, 2018, 02:00:49 AM »
As far as we are aware KonaKart is not vulnerable to this.

Some background:

CVE-2018-11776 was announced on 22/08/2018. Details were published ( https://semmle.com/news/apache-struts-CVE-2018-11776 ) by Semmle who found the vulnerability. It’s a critical vulnerability because it involves remote code execution.

To determine whether you are vulnerable, here’s a snippet from the above link:

For your application to be vulnerable to the attack vectors described below, both of the following conditions should hold:
  • The alwaysSelectFullNamespace flag is set to true in the Struts configuration. Note that this is automatically the case if your application uses the popular Struts Convention plugin.
  • Your application’s Struts configuration file contains an <action ...> tag that does not specify the optional namespace attribute, or specifies a wildcard namespace (e.g. “/*”)
    If your application’s configuration does not meet these two conditions, you are likely not vulnerable to the two attack vectors described below.

In the standard KonaKart Struts storefront,  “alwaysSelectFullNamespace” is set to false because it hasn’t been set to true in struts.xml and  the Convention plugin isn’t used by KonaKart. Therefore, as far as we are aware the “out of the box” implementation should not be vulnerable. It may be wise to check your struts.xml file to determine whether the following line has been added, which would make you vulnerable:

<constant name="struts.mapper.alwaysSelectFullNamespace" value="true" />


Andreas

  • Jr. Member
  • **
  • Posts: 18
    • View Profile
Re: Struts vulnerability CVE-2018-11776
« Reply #2 on: August 28, 2018, 04:02:10 AM »
Thanks for the fast reply. That was my guess, but i wanted to go for sure.