Security Notification – Apache Struts2 S2-053 vulnerability found in some of Dahua DSS software

Date:2017-09-11 Browse:1672

Notification ID: DHCC-201709-01

First Published: september 11, 2017

Summary:
Apache Struts 2 is one of the most widely used MVC framework for creating Java web applications. It is maintained and distributed by Apache software foundation. A recently disclosed vulnerability in Apache Struts 2 has affected some of Dahua DSS software platform:
● S2-053(CVE ID CVE-2017-12611, Security rating Moderate): A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals.
For more details on Apache Struts 2 vulnerability, please check Struts 2 official web site:
https://struts.apache.orgdocssecurity-bulletins.html

CVE ID:   CVE-2017-12611

Affected Products:
Some of the DSS software that uses Apache Struts 2:
DH-DSS-B8000, DH-DSS-C8XXX, DH-DSS-P8500P8000P8010, DH-DSS-T81408100850088XX, DH-DSS-J8300, DH-DSS-U578XX

Fixed software release:
1) Fixed software can be obtained from Dahua technical support, or download the relevant patch from Apache Struts 2 web site.
2) Fixed software can also be obtained by contacting DHCC cybersecurity@dahuatech.com

Support Resources
Dahua technical team will contact customers to advise and support the upgrade process. For any questions or concerns related to cybersecurity, please contact Dahua at cybersecurity@dahuatech.com