-
Bug
-
Resolution: Fixed
-
Highest
-
2.8.3, 2.9.1, 2.9.5, 2.10.1, 2.10.2, 2.11.0
-
None
-
Severity 1 - Critical
-
Description
Crowd used a version of Struts 2 that was vulnerable to CVE-2017-5638. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd.
Affected versions:
- All versions of Crowd from 2.8.3 before 2.9.7 (the fixed version for 2.9.x), from version 2.10.1 before 2.10.3 (the fixed version for 2.10.x) and from version 2.11.0 before 2.11.1 (the fixed version for 2.11.x) are affected by this vulnerability.
Fix:
- Crowd 2.11.1 is available for download from https://www.atlassian.com/software/crowd/download.
- Crowd 2.10.3 is available for download from https://www.atlassian.com/software/crowd/download-archive.
- Crowd 2.9.7 is available for download from https://www.atlassian.com/software/crowd/download-archive.
Hotfix:
The preferred fix is to upgrade Crowd to a version that's not vulnerable (see the Fix section). If you cannot schedule an upgrade immediately, and are using Crowd 2.10 or 2.11, you can replace the affected library as a temporary workaround.
To replace the library:
- Stop Crowd
- Download struts2-core-2.3.32.jar
- Remove all existing copies of struts2-core-2.3.29.jar:
./crowd-openidclient-webapp/WEB-INF/lib/struts2-core-2.3.29.jar ./crowd-openidserver-webapp/WEB-INF/lib/struts2-core-2.3.29.jar ./crowd-webapp/WEB-INF/lib/struts2-core-2.3.29.jar ./demo-webapp/WEB-INF/lib/struts2-core-2.3.29.jar
- Copy the downloaded struts2-core-2.3.32.jar into each of the lib/ directories you removed the jar from
- Restart Crowd
This temporary solution is provided only for your convenience and an upgrade to an official Crowd release should be scheduled as soon as possible.
For additional details see the full advisory.
![[Atlassian Documentation] Page](https://confluence.atlassian.com/images/icons/favicon.png "[Atlassian Documentation] Page"){kind=icon}
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page"){kind=icon}
[CWD-4879] Apache Struts 2 Remote Code Execution (CVE-2017-5638)
| Workflow | Original: Simplified Crowd Development Workflow v2 - restricted [ 1767109 ] | New: JAC Bug Workflow v3 [ 3365775 ] |
| Symptom Severity | Original: Critical [ 14430 ] | New: Severity 1 - Critical [ 15830 ] |
| Description |
Original:
*Description*
Crowd used a version of Struts 2 that was vulnerable to [CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd. *Affected versions:* * All versions of Crowd *from 2.8.3* before *2.9.7* (the fixed version for 2.9.x), from version *2.10.1* before *2.10.3* (the fixed version for 2.10.x) and from version *2.11.0* before *2.11.1* (the fixed version for 2.11.x) are affected by this vulnerability. *Fix:* * *Crowd* 2.11.1 is available for download from [https://www.atlassian.com/software/crowd/download]. * *Crowd* 2.10.3 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. * *Crowd* 2.9.7 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. For additional details see the [full advisory|https://confluence.atlassian.com/crowd/crowd-security-advisory-2017-03-10-876857916.html]. |
New:
*Description*
Crowd used a version of Struts 2 that was vulnerable to [CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd. *Affected versions:* * All versions of Crowd *from 2.8.3* before *2.9.7* (the fixed version for 2.9.x), from version *2.10.1* before *2.10.3* (the fixed version for 2.10.x) and from version *2.11.0* before *2.11.1* (the fixed version for 2.11.x) are affected by this vulnerability. *Fix:* * *Crowd* 2.11.1 is available for download from [https://www.atlassian.com/software/crowd/download]. * *Crowd* 2.10.3 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. * *Crowd* 2.9.7 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. *Hotfix:* The preferred fix is to upgrade Crowd to a version that's not vulnerable (see the *Fix* section). If you cannot schedule an upgrade immediately, and are using Crowd 2.10 or 2.11, you can replace the affected library as a temporary workaround. To replace the library: # Stop Crowd # Download [struts2-core-2.3.32.jar|https://maven.atlassian.com/content/groups/public/org/apache/struts/struts2-core/2.3.32/struts2-core-2.3.32.jar] # Remove all existing copies of struts2-core-2.3.29.jar: {code} ./crowd-openidclient-webapp/WEB-INF/lib/struts2-core-2.3.29.jar ./crowd-openidserver-webapp/WEB-INF/lib/struts2-core-2.3.29.jar ./crowd-webapp/WEB-INF/lib/struts2-core-2.3.29.jar ./demo-webapp/WEB-INF/lib/struts2-core-2.3.29.jar {code} # Copy the downloaded struts2-core-2.3.32.jar into each of the lib/ directories you removed the jar from # Restart Crowd This temporary solution is provided only for your convenience and an upgrade to an official Crowd release should be scheduled as soon as possible. For additional details see the [full advisory|https://confluence.atlassian.com/crowd/crowd-security-advisory-2017-03-10-876857916.html]. |
| Description |
Original:
*Description*
Crowd used a version of Struts 2 that was vulnerable to [CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd. *Affected versions:* * All versions of Crowd *from 2.8.3* before *2.9.7* (the fixed version for 2.9.x), from version *2.10.1* before *2.10.3* (the fixed version for 2.10.x) and from version *2.11.0* before *2.11.1* (the fixed version for 2.11.x) are affected by this vulnerability *Fix:* * *Crowd* 2.11.1 is available for download from [https://www.atlassian.com/software/crowd/download]. * *Crowd* 2.10.3 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. * *Crowd* 2.9.7 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. For additional details see the [full advisory|https://confluence.atlassian.com/crowd/crowd-security-advisory-2017-03-10-876857916.html]. |
New:
*Description*
Crowd used a version of Struts 2 that was vulnerable to [CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd. *Affected versions:* * All versions of Crowd *from 2.8.3* before *2.9.7* (the fixed version for 2.9.x), from version *2.10.1* before *2.10.3* (the fixed version for 2.10.x) and from version *2.11.0* before *2.11.1* (the fixed version for 2.11.x) are affected by this vulnerability. *Fix:* * *Crowd* 2.11.1 is available for download from [https://www.atlassian.com/software/crowd/download]. * *Crowd* 2.10.3 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. * *Crowd* 2.9.7 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. For additional details see the [full advisory|https://confluence.atlassian.com/crowd/crowd-security-advisory-2017-03-10-876857916.html]. |
| Description |
Original:
*Description*
Crowd used a version of Struts 2 that was vulnerable to [CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd. *Affected versions:* * All versions of Crowd ** from *2.8.3* before *2.9.7* (the fixed version for 2.9.x), from version *2.10.1* before *2.10.3* (the fixed version for 2.10.x) and from version *2.11.0* before *2.11.1* (the fixed version for 2.11.x) are affected by this vulnerability *Fix:* * *Crowd* 2.11.1 is available for download from [https://www.atlassian.com/software/crowd/download]. * *Crowd* 2.10.3 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. * *Crowd* 2.9.7 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. For additional details see the [full advisory|https://confluence.atlassian.com/crowd/crowd-security-advisory-2017-03-10-876857916.html]. |
New:
*Description*
Crowd used a version of Struts 2 that was vulnerable to [CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd. *Affected versions:* * All versions of Crowd *from 2.8.3* before *2.9.7* (the fixed version for 2.9.x), from version *2.10.1* before *2.10.3* (the fixed version for 2.10.x) and from version *2.11.0* before *2.11.1* (the fixed version for 2.11.x) are affected by this vulnerability *Fix:* * *Crowd* 2.11.1 is available for download from [https://www.atlassian.com/software/crowd/download]. * *Crowd* 2.10.3 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. * *Crowd* 2.9.7 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. For additional details see the [full advisory|https://confluence.atlassian.com/crowd/crowd-security-advisory-2017-03-10-876857916.html]. |
| Description |
Original:
*Description*
Crowd used a version of Struts 2 that was vulnerable to [CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd. *Affected versions:* * All versions of Crowd from *2.8.3* before *2.10.3* (the fixed version for 2.10.x) and from version *2.11.0* before *2.11.1* (the fixed version for 2.11.x) are affected by this vulnerability. *Fix:* * *Crowd* 2.11.1 is available for download from [https://www.atlassian.com/software/crowd/download]. * *Crowd* 2.10.3 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. For additional details see the [full advisory|https://confluence.atlassian.com/crowd/crowd-security-advisory-2017-03-10-876857916.html]. |
New:
*Description*
Crowd used a version of Struts 2 that was vulnerable to [CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd. *Affected versions:* * All versions of Crowd ** from *2.8.3* before *2.9.7* (the fixed version for 2.9.x), from version *2.10.1* before *2.10.3* (the fixed version for 2.10.x) and from version *2.11.0* before *2.11.1* (the fixed version for 2.11.x) are affected by this vulnerability *Fix:* * *Crowd* 2.11.1 is available for download from [https://www.atlassian.com/software/crowd/download]. * *Crowd* 2.10.3 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. * *Crowd* 2.9.7 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. For additional details see the [full advisory|https://confluence.atlassian.com/crowd/crowd-security-advisory-2017-03-10-876857916.html]. |
| Description |
Original:
*Description*
Crowd used a version of Struts 2 that was vulnerable to [CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd. *Affected versions:* * All versions of Crowd from *2.8.3* before *2.10.3* (the fixed version for 2.10.x) and from version *2.11.0* before *2.11.1* (the fixed version for 2.11.x) are affected by this vulnerability. *Fix:* * *Crowd* 2.11.1 is available for download from [https://www.atlassian.com/software/crowd/download]. * *Crowd* 2.10.3 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. |
New:
*Description*
Crowd used a version of Struts 2 that was vulnerable to [CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd. *Affected versions:* * All versions of Crowd from *2.8.3* before *2.10.3* (the fixed version for 2.10.x) and from version *2.11.0* before *2.11.1* (the fixed version for 2.11.x) are affected by this vulnerability. *Fix:* * *Crowd* 2.11.1 is available for download from [https://www.atlassian.com/software/crowd/download]. * *Crowd* 2.10.3 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. For additional details see the [full advisory|https://confluence.atlassian.com/crowd/crowd-security-advisory-2017-03-10-876857916.html]. |
| Description |
Original:
*Description*
Crowd used a version of Struts 2 that was vulnerable to [CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd. *Affected versions:* * All versions of Crowd from *2.8.3* before *2.10.3* (the fixed version for 2.10.x) and version *2.11.0* are affected by this vulnerability. *Fix:* * *Crowd* 2.11.1 is available for download from [https://www.atlassian.com/software/crowd/download]. * *Crowd* 2.10.3 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. |
New:
*Description*
Crowd used a version of Struts 2 that was vulnerable to [CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd. *Affected versions:* * All versions of Crowd from *2.8.3* before *2.10.3* (the fixed version for 2.10.x) and from version *2.11.0* before *2.11.1* (the fixed version for 2.11.x) are affected by this vulnerability. *Fix:* * *Crowd* 2.11.1 is available for download from [https://www.atlassian.com/software/crowd/download]. * *Crowd* 2.10.3 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. |
| Labels | Original: CVE-2017-5638 no-cvss-required security | New: CVE-2017-5638 advisory advisory-released no-cvss-required security |
| Fix Version/s | New: 2.9.7 [ 67308 ] | |
| Fix Version/s | New: 2.10.3 [ 67309 ] |