The following Common Vulnerabilities and Exposures (CVE) have been reported for Apache Struts 2:
- CVE-2017-9805
- CVE-2017-12611
- CVE-2018-1327 - REST XStream FreeMarker
- CVE-2018-11776
How are Liferay DXP (both 7.0 and 7.1) and Liferay Portal affected by the Apache Struts 2 Vulnerability?
Resolution
Impact to Liferay
- Liferay platforms do not use Struts 2 or the REST plugin; therefore Liferay platforms—by themselves—are not vulnerable.
- XStream is used in Staging but only after applying a very strict white-list. The platform has been tested for deserialization by a reputable third party.
Impact to Customers
- Customers who use Struts 2 and the REST plugin in custom portlets may be vulnerable.
Additional Information
More information about the recent Struts vulnerabilities can be found here:
- Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads. S2-052 (CVE-2017-9805)
- A Possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals. S2-053 (CVE-2017-12611)
- A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin. S2-056 (CVE-2018-1327)
- Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. S2-057 (CVE-2018-11776)
- Semmle Discovers Critical Remote Code Execution Vulnerability in Apache Struts (CVE-2018-11776)
These issues are related to Struts 2, the REST plugin, and XStream deserialization.