TTCSIRT-069.120517: TT-CSIRT Advisory – Apache Security Updates

TTCSIRT-069.120517: TT-CSIRT Advisory – Apache Security Updates

The Apache Software Foundation has release security updates to address multiple vulnerabilities in Apache Struts version 2:

a) A denial of service vulnerability exists due to an outdated JSON-lib library utilized by a REST plugin – (CVE-2017-15707).

b) A remote code execution vulnerability exists because the REST Plugin utilizes Jackson JSON library for data binding – (CVE-2017-7525).

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

For further information on these vulnerabilities and how they can be fixed can be found at https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-apache-struts-could-allow-for-remote-code-execution_2017-121/