You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2020/12/08 07:02:00 UTC
[struts-site] branch master updated: Adds S2-061 Security Bulletin
announcement
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/master by this push:
new 83d81ee Adds S2-061 Security Bulletin announcement
83d81ee is described below
commit 83d81ee925f03dd31c469c2b24f7a5b656f274d5
Author: Lukasz Lenart <lu...@apache.org>
AuthorDate: Tue Dec 8 08:01:53 2020 +0100
Adds S2-061 Security Bulletin announcement
---
source/announce.md | 24 ++++++++++++++++++++++++
source/index.html | 6 +++---
2 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/source/announce.md b/source/announce.md
index 696d417..7cde9d3 100644
--- a/source/announce.md
+++ b/source/announce.md
@@ -13,6 +13,30 @@ title: Announcements 2020
Skip to: <a href="announce-2019.html">Announcements - 2019</a>
</p>
+#### 08 December 2020 - Potential RCE when using forced evaluation - CVE-2020-17530 {#a20201208}
+
+The Apache Struts Security team would like to announce that forced OGNL evaluation, when evaluated on raw user input
+in tag attributes, may lead to remote code execution.
+
+**Problem**
+
+Some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation
+by using the `%{...}` syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution
+and security degradation.
+
+**Solution**
+
+Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.26 which checks if expression
+evaluation won't lead to the double evaluation.
+
+Please read our Security Bulletin [S2-061](https://cwiki.apache.org/confluence/display/WW/S2-061) for more details.
+
+This vulnerability was identified by:
+- Alvaro Munoz - pwntester at github dot com
+- Masato Anzai of Aeye Security Lab, inc.
+
+**All developers are strongly advised to perform this action.**
+
#### 06 December 2020 - Struts 2.5.26 General Availability {#a20201206}
The Apache Struts group is pleased to announce that Struts 2.5.26 is available as a "General Availability"
diff --git a/source/index.html b/source/index.html
index 7c5fc7d..d8d5b8d 100644
--- a/source/index.html
+++ b/source/index.html
@@ -31,11 +31,11 @@ title: Welcome to the Apache Struts project
<a href="{{ site.wiki_url }}/Version+Notes+{{ site.current_version }}">Version notes</a>
</div>
<div class="column col-md-4">
- <h2>Security Advice S2-058 released</h2>
+ <h2>Security Advice S2-061 released</h2>
<p>
- A number of historic Struts Security Bulletins and related CVE database entries contained incorrect affected release version ranges.
+ Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Read more in
- <a href="announce#a20200813">Announcement</a>
+ <a href="announce#a20201208">Announcement</a>
</p>
</div>
<div class="column col-md-4">