Oracle Security Alert Advisory - CVE-2018-11776


This Security Alert addresses CVE-2018-11776, a vulnerability in Apache Struts 2. CVE-2018-11776 has received a CVSS v3 base score of 9.8. When the alwaysSelectFullNamespace option is enabled in a Struts 2 configuration file, and an ACTION tag is specified without a namespace attribute or a wildcard namespace, this vulnerability can be used to perform an unauthenticated remote code execution attack which can lead to a complete compromise of the targeted system.

Products incorporating Struts 2 are not necessarily vulnerable. For a list of Oracle products, their statuses, and available patches, please refer to Security Alert CVE-2018-11776 Products and Versions. Oracle recommends that customers frequently review Security Alert CVE-2018-11776 Products and Versions and plan to apply the updates as soon as they are released by Oracle. The Security Alert CVE-2018-11776 Products and Versions page will be updated as new information becomes available.

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.


Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle: None credited in this Security Alert.

Modification History

Date Note
2018-August-31 Rev 1. Initial Release.

Third Party Component Risk Matrix

This Security Alert contains 1 new security fix for Third Party Component.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Component Package and/or Privilege Required Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2018-11776 Apache Struts 2 Core HTTP Yes 9.8 Network Low None None Un-
High High High 2.3.34 and before
2.5.16 and before