[CWD-5240] Upgrade Struts with CVE-2018-11776 fixed

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 3.1.5, 3.2.5
Affects Version/s: None
Component/s: None
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

On August 22, the Apache Software Foundation announced a remote code execution vulnerability in Struts, called CVE-2018-11776. After investigating, we have determined that Crowd is not affected by this vulnerability. While Crowd do use Struts, it is not configured in a way that would leave it susceptible to this bug. However, as an extra precaution that is in-line with industry best practices, we are updating Struts in Crowd to the latest version.

blocks: CHAT-2411 You do not have permission to view this issue

duplicates: KRAK-1612 You do not have permission to view this issue

PIR - Priority Action: PIR-2190 You do not have permission to view this issue

relates to: HOT-84616 You do not have permission to view this issue; ST-5053 Failed to load

Form Name

Monique Khairuliana (Inactive) made changes - 15/Aug/2019 7:05 AM

Workflow

Original: Simplified Crowd Development Workflow v2 - restricted [ 2768731 ]

New: JAC Bug Workflow v3 [ 3364787 ]

Owen made changes - 24/Oct/2018 5:06 AM

Symptom Severity

Original: Major [ 14431 ]

New: Severity 2 - Major [ 15831 ]

Michael Andreacchio made changes - 05/Sep/2018 4:37 AM

Remote Link

Original: This issue links to "Page (Confluence)" [ 385041 ]

Rob made changes - 04/Sep/2018 3:37 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 385041 ]

pmire (Inactive) made changes - 30/Aug/2018 11:50 PM

Remote Link

New: This issue links to "PIR-2190 (Atlassian Service Operations JIRA )" [ 384908 ]

Mareusz (Inactive) made changes - 30/Aug/2018 11:50 AM

Security

Original: Reporter and Atlassian Staff [ 10751 ]

Mareusz (Inactive) made changes - 30/Aug/2018 11:50 AM

Summary

Original: Upgrade Struts with CVE-2018-11776 fix

New: Upgrade Struts with CVE-2018-11776 fixed

Mareusz (Inactive) made changes - 30/Aug/2018 11:49 AM

Summary

Original: Upgrade Struts

New: Upgrade Struts with CVE-2018-11776 fix

Mareusz (Inactive) made changes - 30/Aug/2018 11:48 AM

Description

New: On August 22, the Apache Software Foundation [announced|https://cwiki.apache.org/confluence/display/WW/S2-057] a remote code execution vulnerability in Struts, called CVE-2018-11776. After investigating, we have determined that Crowd is not affected by this vulnerability. While Crowd do use Struts, it is not configured in a way that would leave it susceptible to this bug. However, as an extra precaution that is in-line with industry best practices, we are updating Struts in Crowd to the latest version.

Mareusz (Inactive) made changes - 30/Aug/2018 11:47 AM

Description

Original: A new RCE was reported in Struts2

[https://semmle.com/news/apache-struts-CVE-2018-11776]

Based on our investigation , Crowd is vulnerable to CVE-2018-11776. Users of Struts 2.3 are strongly advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17.

Sourceclear (our internal dependency vulnerability scanner) has identified Crowd to be vulnerable - https://atlassian.sourceclear.io/teams/Paaina7/issues/vulnerabilities/4696336/8944276

New: A new RCE was reported in Struts2

[https://semmle.com/news/apache-struts-CVE-2018-11776]

Based on our investigation , Crowd is vulnerable to CVE-2018-11776. Users of Struts 2.3 are strongly advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17

Assignee:: Unassigned

Reporter:: hari

Affected customers:: 0 This affects my team

Watchers:: 10 Start watching this issue

Created:: 22/Aug/2018 9:07 PM

Updated:: 24/Oct/2018 5:06 AM

Resolved:: 30/Aug/2018 11:00 AM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates