-
Bug
-
Resolution: Fixed
-
Low
-
None
-
None
-
Severity 2 - Major
-
On August 22, the Apache Software Foundation announced a remote code execution vulnerability in Struts, called CVE-2018-11776. After investigating, we have determined that Crowd is not affected by this vulnerability. While Crowd do use Struts, it is not configured in a way that would leave it susceptible to this bug. However, as an extra precaution that is in-line with industry best practices, we are updating Struts in Crowd to the latest version.
[CWD-5240] Upgrade Struts with CVE-2018-11776 fixed
Workflow | Original: Simplified Crowd Development Workflow v2 - restricted [ 2768731 ] | New: JAC Bug Workflow v3 [ 3364787 ] |
Symptom Severity | Original: Major [ 14431 ] | New: Severity 2 - Major [ 15831 ] |
Remote Link | Original: This issue links to "Page (Confluence)" [ 385041 ] |
Remote Link | New: This issue links to "Page (Confluence)" [ 385041 ] |
Remote Link | New: This issue links to "PIR-2190 (Atlassian Service Operations JIRA )" [ 384908 ] |
Security | Original: Reporter and Atlassian Staff [ 10751 ] |
Summary | Original: Upgrade Struts with CVE-2018-11776 fix | New: Upgrade Struts with CVE-2018-11776 fixed |
Summary | Original: Upgrade Struts | New: Upgrade Struts with CVE-2018-11776 fix |
Description |
Original:
A new RCE was reported in Struts2
[https://semmle.com/news/apache-struts-CVE-2018-11776] Based on our investigation , Crowd is vulnerable to CVE-2018-11776. Users of Struts 2.3 are strongly advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17 |
New: On August 22, the Apache Software Foundation [announced|https://cwiki.apache.org/confluence/display/WW/S2-057] a remote code execution vulnerability in Struts, called CVE-2018-11776. After investigating, we have determined that Crowd is not affected by this vulnerability. While Crowd do use Struts, it is not configured in a way that would leave it susceptible to this bug. However, as an extra precaution that is in-line with industry best practices, we are updating Struts in Crowd to the latest version. |
Description |
Original:
A new RCE was reported in Struts2
[https://semmle.com/news/apache-struts-CVE-2018-11776] Based on our investigation , Crowd is vulnerable to CVE-2018-11776. Users of Struts 2.3 are strongly advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. Sourceclear (our internal dependency vulnerability scanner) has identified Crowd to be vulnerable - https://atlassian.sourceclear.io/teams/Paaina7/issues/vulnerabilities/4696336/8944276 |
New:
A new RCE was reported in Struts2
[https://semmle.com/news/apache-struts-CVE-2018-11776] Based on our investigation , Crowd is vulnerable to CVE-2018-11776. Users of Struts 2.3 are strongly advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17 |