JPCERT-AT-2020-0046
JPCERT/CC
2020-12-09(Initial)
2020-12-21(Update)
Apache Struts 2 Documentation
Security Bulletins S2-061
https://cwiki.apache.org/confluence/display/WW/S2-061
The Apache Software Foundation has rated this vulnerability as"Important".It is recommended to upgrade the version as soon as possible by referring to the information provided in "III. Solution" if a version of Apache Struts 2 which is affected by the vulnerability is used.
Apache Struts 2
- Versions 2.0.0 to 2.5.25
Apache Struts 2
- Versions 2.5.26
For more information, please refer to the updated information provided by the Apache Software Foundation.
Apache Struts 2 Documentation
Version Notes 2.5.26
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.26
The Apache Software Foundation
08 December 2020 - Potential RCE when using forced evaluation - CVE-2020-17530
https://struts.apache.org/announce#a20201208
If you have any information regarding this alert, please contact JPCERT/CC.
2020-12-21 Updated "I. Overview"
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/
JPCERT/CC
2020-12-09(Initial)
2020-12-21(Update)
I. Overview
On December 8, 2020 (Local Time), the Apache Software Foundation has released information (S2-061) on vulnerability (CVE-2020-17530)in Apache Struts 2. This vulnerability is due to improper verification of input values. A remote attacker leveraging this vulnerability may execute arbitrary code on the server that runs Apache Struts 2.Apache Struts 2 Documentation
Security Bulletins S2-061
https://cwiki.apache.org/confluence/display/WW/S2-061
The Apache Software Foundation has rated this vulnerability as"Important".It is recommended to upgrade the version as soon as possible by referring to the information provided in "III. Solution" if a version of Apache Struts 2 which is affected by the vulnerability is used.
Update: December 21, 2020 Update
JPCERT/CC has confirmed the information that attack activity that exploited this vulnerability had been observed. It is recommended to upgrade the version as soon as possible, if a version of Apache Struts 2 which is affected by this vulnerability is used.
II. Affected Products
The following versions of Apache Struts 2 are affected by the vulnerability:Apache Struts 2
- Versions 2.0.0 to 2.5.25
III. Solution
The Apache Software Foundation has released versions of Apache Struts 2 that address this vulnerability. Please update to the versions by referring to the information provided by the Apache Software Foundation.Apache Struts 2
- Versions 2.5.26
For more information, please refer to the updated information provided by the Apache Software Foundation.
Apache Struts 2 Documentation
Version Notes 2.5.26
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.26
IV. References
The Apache Software Foundation
08 December 2020 - Potential RCE when using forced evaluation - CVE-2020-17530
https://struts.apache.org/announce#a20201208
If you have any information regarding this alert, please contact JPCERT/CC.
Revision History
2020-12-09 First edition2020-12-21 Updated "I. Overview"
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/