edit-icon download-icon

[Vulnerability notice] CVE-2017-9791: Remote command execution vulnerability in Struts (S2-048)

Last Updated: Apr 08, 2018

On July 7, 2017, Apache Struts released the latest security bulletin and announced the CVE-2017-9791 vulnerability. This vulnerability is detected in the Action Message class of the Showcase plug-in in Struts2 and Struts1. An attacker can construct untrusted input to implement remote command attacks, which brings security risks.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-9791

Vulnerability name

Struts (S2-048) remote command execution vulnerability

Vulnerability rating

High

Vulnerability description

In the Showcase ActionMessage class, an attacker can construct untrusted input to implement remote command attacks, which brings security risks.

Condition and method of exploitation

Remote exploitation

Affected scope

Struts 2.3.x Showcase application

Vulnerability detection

Check the Struts framework version.

How to fix or mitigate

  • Disable, close, or delete the \struts-2.3.x\apps\struts2-showcase.war package as required.

  • Upgrade Struts to the latest version 2.5.10.1.

  • Use Alibaba Cloud Security WAF for defense.

Reference

[1]. https://cwiki.apache.org/confluence/display/WW/S2-048

Thank you! We've received your feedback.