-
Bug
-
Resolution: Fixed
-
Highest
-
2.8.3, 2.9.1, 2.9.5, 2.10.1, 2.10.2, 2.11.0
-
None
-
Severity 1 - Critical
-
Description
Crowd used a version of Struts 2 that was vulnerable to CVE-2017-5638. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd.
Affected versions:
- All versions of Crowd from 2.8.3 before 2.9.7 (the fixed version for 2.9.x), from version 2.10.1 before 2.10.3 (the fixed version for 2.10.x) and from version 2.11.0 before 2.11.1 (the fixed version for 2.11.x) are affected by this vulnerability.
Fix:
- Crowd 2.11.1 is available for download from https://www.atlassian.com/software/crowd/download.
- Crowd 2.10.3 is available for download from https://www.atlassian.com/software/crowd/download-archive.
- Crowd 2.9.7 is available for download from https://www.atlassian.com/software/crowd/download-archive.
Hotfix:
The preferred fix is to upgrade Crowd to a version that's not vulnerable (see the Fix section). If you cannot schedule an upgrade immediately, and are using Crowd 2.10 or 2.11, you can replace the affected library as a temporary workaround.
To replace the library:
- Stop Crowd
- Download struts2-core-2.3.32.jar
- Remove all existing copies of struts2-core-2.3.29.jar:
./crowd-openidclient-webapp/WEB-INF/lib/struts2-core-2.3.29.jar ./crowd-openidserver-webapp/WEB-INF/lib/struts2-core-2.3.29.jar ./crowd-webapp/WEB-INF/lib/struts2-core-2.3.29.jar ./demo-webapp/WEB-INF/lib/struts2-core-2.3.29.jar
- Copy the downloaded struts2-core-2.3.32.jar into each of the lib/ directories you removed the jar from
- Restart Crowd
This temporary solution is provided only for your convenience and an upgrade to an official Crowd release should be scheduled as soon as possible.
For additional details see the full advisory.
![[Atlassian Documentation] Page](https://confluence.atlassian.com/images/icons/favicon.png "[Atlassian Documentation] Page"){kind=icon}
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page"){kind=icon}
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[CWD-4879] Apache Struts 2 Remote Code Execution (CVE-2017-5638)
einkauf13 For Crowd versions 2.10.x and 2.11.x the struts2-core.jar can be replaced as a temporary hotfix. I've updated the issue with the steps required.
security+atlassian1282683442 filtering requests by Content-Type as described should not cause any side-effects, but might not be enough to guard against all variants of the attack. Either upgrading to a version that's not vulnerable or applying the hotfix is advised.
Hi,
Can you advise if the following workaround for Apache + mod_rewrite would be OK and not cause any side effects ?
RewriteCond %{HTTP:Content-type} [$\#()%}{]
RewriteRule . [F,L]
Source: http://stackoverflow.com/questions/42720926/mitigating-cve-2017-5638-apache-struts2-vulnerability
Thank you.
Is there an option as a temporary fix to replace the vulnerable struts-library like in Bamboo?
https://jira.atlassian.com/browse/BAM-18242?src=confmacro&_ga=1.226328402.937700539.1475566115
Thank you Lukasz