New QID for Latest RCE in Apache Struts

Document created by Dave Ferguson Employee on Aug 30, 2018
Version 1Show Document
  • View in full screen mode

Hello all -


The Qualys WAS scanning engine has been updated with a new detection for CVE-2018-11776.  This is a serious remote code execution (RCE) vulnerability found in Apache Struts.  Specifically, Struts 2.3 - 2.3.34 and Struts 2.5 - 2.5.16 are affected for certain configurations where "namespace" is not set.  Although the default configuration of Struts is not vulnerable to this particular issue, many deployments are still likely to be vulnerable.


Make sure QID 150250 is enabled during your WAS scans to test for this issue.  QID 150250 is a severity "4" confirmed vulnerability.  Note that WAS uses a proof-of-concept exploit to actively test for this vulnerability against the target web application as opposed to a simple version-based detection.


More details about this vulnerability and how to fix it is available from Apache Struts security bulletin S2-057.


Qualys Vulnerability Management (VM) may also be used to detect the presence of this vulnerability.  Please see  for more information.