Skip to content

OSG-SEC-2018-09-06 Apache Struts Vulnerability

Dear OSG Security Contacts,

This announcement is for sites that still use VOMS-admin from OSG 3.3. Support for OSG 3.3 ended in May 2018 [1].

A new vulnerability, described in CVE-2018-11776 [2] has been reported in Apache Struts 2 that potentially allows an attacker to execute arbitrary code on an impacted server. OSG security team considers patching this vulnerability to be IMPORTANT.

Please note that this is our best-effort announcement notification. The OSG no longer supports VOMS Admin server, therefore our security team strongly recommends retiring any active servers. Please consult the migration documentation for details [3].

IMPACTED VERSIONS/ENVIRONMENTS:

Impacted version of VOMS Admin server: All the versions of VOMS Admin server distributed by the OSG are affected.

Impacted version of Struts: - Struts 2.3 - Struts 2.3.34 - Struts 2.5 - Struts 2.5.16

ACTION RECOMMENDATIONS:

The OSG no longer supports VOMS Admin server, therefore our security team strongly recommends retiring any active servers.

HOW IT WORKS:

This vulnerability allows for remote code execution when namespace values aren't set for a result defined in underlying configurations and, at the same time, its upper action configuration(s) have a wildcard or no namespace. A possibility for remote code execution also exists when using url tags which don’t have values and actions set and, at the same time, its upper action configuration(s) have a wildcard or no namespace. Proof of concept (PoC) of the exploit is publicly available on GitHub [4].

MORE INFORMATION:

  • [1] https://opensciencegrid.org/technology/policy/release-series/#life-cycle-dates
  • [2] https://nvd.nist.gov/vuln/detail/CVE-2018-11776
  • [3] https://opensciencegrid.org/technology/policy/voms-admin-retire/
  • [4] https://cwiki.apache.org/confluence/display/WW/S2-057

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team