Remote code execution vulnerability in Apache Struts 2 component in OneSpan products
Advisory ID onespan-sa-20180828-struts
Revision number 1.1
Date of Release August 28, 2018 05:00 PM UTC+1
Last update August 31, 2018 09:30 AM UTC+1
Summary
Impacted Products
Following OneSpan products are affected by the CVE-2018-11776 vulnerability:
- Authentication Server 3.8 and later
- Appliance 3.8.9.0 and later
Affected Products
IDENTIKEY Appliance
IDENTIKEY Authentication Server
IDENTIKEY Virtual Appliance
Description
Severity Score
The table below denotes the CVSS 2.0 vulnerability score of the CVE-2018-11776 vulnerability in OneSpan's products.
CVSS Base Score: 6.8 (medium) | |||||
Access Vector | Access Complexity | Authentication | Confidentiality Impact | Integrity Impact | Availability Impact |
Network | Medium | None | Partial | Partial | Partial |
Product Fixes
- Authentication Server 3.8.2, 3.9.1, 3.10.1 R2, 3.11.1 R2, 3.12.2 R3, 3.13.1 R2, 3.14.1 R2, 3.15, 3.16
- Appliance 3.8.9.0, 3.8.9.1, 3.9.10.1, 3.9.10.0, 3.10.11.0, 3.11.12.1, 3.11.12.0, 3.12.13.0, 3.12.13.1, 3.13.14.0, 3.14.15.0
Location
Customers with a maintenance contract can obtain fixed product releases from the Customer Portal. Customers without a maintenance contract should contact their local sales representative.
Reference
Legal Disclaimer
Remote code execution vulnerability in Apache Struts 2 component in OneSpan products