OSG-SEC-2018-09-06 Apache Struts Vulnerability
Dear OSG Security Contacts,
This announcement is for sites that still use VOMS-admin from OSG 3.3. Support for OSG 3.3 ended in May 2018 .
A new vulnerability, described in CVE-2018-11776  has been reported in Apache Struts 2 that potentially allows an attacker to execute arbitrary code on an impacted server. OSG security team considers patching this vulnerability to be IMPORTANT.
Please note that this is our best-effort announcement notification. The OSG no longer supports VOMS Admin server, therefore our security team strongly recommends retiring any active servers. Please consult the migration documentation for details .
Impacted version of VOMS Admin server: All the versions of VOMS Admin server distributed by the OSG are affected.
Impacted version of Struts: - Struts 2.3 - Struts 2.3.34 - Struts 2.5 - Struts 2.5.16
The OSG no longer supports VOMS Admin server, therefore our security team strongly recommends retiring any active servers.
HOW IT WORKS:
This vulnerability allows for remote code execution when namespace values aren't set for a result defined in underlying configurations and, at the same time, its upper action configuration(s) have a wildcard or no namespace. A possibility for remote code execution also exists when using url tags which don’t have values and actions set and, at the same time, its upper action configuration(s) have a wildcard or no namespace. Proof of concept (PoC) of the exploit is publicly available on GitHub .
-  https://opensciencegrid.org/technology/policy/release-series/#life-cycle-dates
-  https://nvd.nist.gov/vuln/detail/CVE-2018-11776
-  https://opensciencegrid.org/technology/policy/voms-admin-retire/
-  https://cwiki.apache.org/confluence/display/WW/S2-057
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team