Jump to content


Photo

Apache Struts - updated


  • Please log in to reply
No replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,045 posts

Posted 02 December 2017 - 02:36 PM

FYI...

Apache Struts 2.5.14.1
- https://cwiki.apache...splay/WW/S2-054
Dec 01, 2017
> https://cwiki.apache...PageVersions=10
Recommendation: Upgrade to Struts 2.5.14.1
Affected Software: Struts 2.5 - Struts 2.5.14

- https://www.security....com/id/1039946
CVE Reference: https://nvd.nist.gov.../CVE-2017-15707
Dec 1 2017
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.5 - 2.5.14
Description: A vulnerability was reported in Apache Struts. A remote user can cause denial of service conditions on the target system.
A remote user can send specially crafted JSON data to trigger a flaw in the REST Plugin's default JSON-lib handler and cause denial of service conditions.
Impact: A remote user can cause denial of service conditions.
Solution: The vendor has issued a fix (2.5.14.1)...

>> https://cwiki.apache...pageId=74688649

Apache Struts 2 Documentation
Apache Struts Version Notes 2.5.14.1
>> https://cwiki.apache... Notes 2.5.14.1

- https://cwiki.apache...splay/WW/S2-055
Dec 01, 2017
> https://cwiki.apache...dPageVersions=4
Recommendation: Upgrade to Struts 2.5.14.1

- https://www.security....com/id/1039947
CVE Reference: CVE-2017-7525
Dec 1 2017
Impact: Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.5 - 2.5.14
Description: A vulnerability was reported in Apache Struts. The impact was not specified.
A remote user can send specially crafted data to trigger a deserialization error in the jackson-databind component. The readValue() method of the ObjectMapper is affected...
[Editor's note: The vendor advisory does not specify the impact. However, because the deserialization vulnerability in the jackson-databind component can lead to code execution in other applications of the component, this Alert has been categorized as a state error with code execution impact.]
Solution: The vendor has issued a fix (2.5.14.1)...
___

> https://www.us-cert....ecurity-Updates
Dec 04, 2017 - "... upgrade to Struts 2.5.14.1."

> https://cwiki.apache...splay/WW/S2-054

> https://cwiki.apache...splay/WW/S2-055
 

:ninja: :ninja:


Edited by AplusWebMaster, 04 December 2017 - 06:33 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!