English
¢¸¢· µÚ·Î
Ãë¾àÁ¡ID 27109
À§Çèµµ 40
Æ÷Æ® 139.445
ÇÁ·ÎÅäÄÝ TCP
ºÐ·ù SMB
»ó¼¼¼³¸í Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13ÀÇ REST Ç÷¯±×Àο¡¼­ »ç¿ëÇÏ´Â XStream ÀνºÅϽºÀÇ XStreamHandler ¿¡¼­ ¾Æ¹«·± ŸÀÔ Á¦ÇÑÀ» ÇÏÁö ¾Ê¾Æ XML ÆäÀ̷ε带 ó¸®ÇÒ ¶§ ¿ø°Ý ÄÚµå ½ÇÇà Ãë¾àÁ¡ÀÌ Á¸ÀçÇÑ´Ù.

* ¾Ë¸²: ÀÌ Á¡°ËÇ׸ñÀº Á¡°ËÇϱâ À§ÇÑ È£½ºÆ®·Î ·Î±×ÀÎ ÇÒ ¼ö ÀÖ´Â °ü¸®ÀÚ ±ÇÇÑÀ» °¡Áø °èÁ¤À» ÇÊ¿ä·Î ÇÑ´Ù. ÀÌ·¯ÇÑ Á¶°ÇÀÌ ¾ÈµÇ¸é Á¡°ËÀ» ¼öÇàÇÒ ¼ö ¾øÀ¸¸ç ¸ðµç Ãë¾àÇÑ È£½ºÆ®µé¿¡ ´ëÇؼ­ °ÅÁþ À½¼º¹ÝÀÀ(False Negative)À» º¸ÀÏ ¼ö ÀÖ´Ù.

* Âü°í »çÀÌÆ®:
https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax

* ¿µÇâÀ» ¹Þ´Â Ç÷§Æû:
Apache Struts 2.5.13 ÀÌÀü ¹öÀüÀÇ 2.5.x
¸ðµç ¿î¿µÃ¼Á¦ ¸ðµç ¹öÀü
ÇØ°áÃ¥ ´ÙÀ½ Apache Struts ´Ù¿î·Îµå À¥ ÆäÀÌÁö¿¡¼­ ±¸ÇÒ ¼ö ÀÖ´Â Apache StrutsÀÇ °¡Àå ÃֽŠ¹öÀü(2.5.13 ÀÌÈÄ)À¸·Î ¾÷±×·¹À̵å ÇÏ¿©¾ß ÇÑ´Ù:
https://struts.apache.org/download.cgi
°ü·Ã URL CVE-2017-9805 (CVE)
°ü·Ã URL (SecurityFocus)
°ü·Ã URL (ISS)