On August 22, the Apache Software Foundation announced a remote code execution vulnerability in Struts, called CVE-2018-11776. After investigating, we have determined that Crowd is not affected by this vulnerability. While Crowd do use Struts, it is not configured in a way that would leave it susceptible to this bug. However, as an extra precaution that is in-line with industry best practices, we are updating Struts in Crowd to the latest version.

          Form Name

            [CWD-5240] Upgrade Struts with CVE-2018-11776 fixed

            Monique Khairuliana (Inactive) made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 - restricted [ 2768731 ] New: JAC Bug Workflow v3 [ 3364787 ]
            Owen made changes -
            Symptom Severity Original: Major [ 14431 ] New: Severity 2 - Major [ 15831 ]
            Michael Andreacchio made changes -
            Remote Link Original: This issue links to "Page (Confluence)" [ 385041 ]
            Rob made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 385041 ]
            pmire (Inactive) made changes -
            Remote Link New: This issue links to "PIR-2190 (Atlassian Service Operations JIRA )" [ 384908 ]
            Mareusz (Inactive) made changes -
            Security Original: Reporter and Atlassian Staff [ 10751 ]
            Mareusz (Inactive) made changes -
            Summary Original: Upgrade Struts with CVE-2018-11776 fix New: Upgrade Struts with CVE-2018-11776 fixed
            Mareusz (Inactive) made changes -
            Summary Original: Upgrade Struts New: Upgrade Struts with CVE-2018-11776 fix
            Mareusz (Inactive) made changes -
            Description Original: A new RCE was reported in Struts2

            [https://semmle.com/news/apache-struts-CVE-2018-11776]

            Based on our investigation , Crowd is vulnerable to CVE-2018-11776. Users of Struts 2.3 are strongly advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17
            New: On August 22, the Apache Software Foundation [announced|https://cwiki.apache.org/confluence/display/WW/S2-057] a remote code execution vulnerability in Struts, called CVE-2018-11776. After investigating, we have determined that Crowd is not affected by this vulnerability. While Crowd do use Struts, it is not configured in a way that would leave it susceptible to this bug. However, as an extra precaution that is in-line with industry best practices, we are updating Struts in Crowd to the latest version.
            Mareusz (Inactive) made changes -
            Description Original: A new RCE was reported in Struts2

            [https://semmle.com/news/apache-struts-CVE-2018-11776]

            Based on our investigation , Crowd is vulnerable to CVE-2018-11776. Users of Struts 2.3 are strongly advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17.

            Sourceclear (our internal dependency vulnerability scanner) has identified Crowd to be vulnerable - https://atlassian.sourceclear.io/teams/Paaina7/issues/vulnerabilities/4696336/8944276
            New: A new RCE was reported in Struts2

            [https://semmle.com/news/apache-struts-CVE-2018-11776]

            Based on our investigation , Crowd is vulnerable to CVE-2018-11776. Users of Struts 2.3 are strongly advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17

              Unassigned Unassigned
              hbalasundaram hari
              Affected customers:
              0 This affects my team
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: