Apache Struts security update fixes critical vulnerabilities
The vulnerabilities can allow attackers to execute rogue code on the server or redirect users to arbitrary locations
IDG News Service - The Apache Software Foundation has released Struts 188.8.131.52, a security update for its popular Java Web application development framework that addresses two vulnerabilities, including a critical one that could allow remote attackers to execute arbitrary code on the server.
Struts version 184.108.40.206 has become the "General Availability" release, the designation for the project's highest quality version available to users.
The new release addresses two vulnerabilities that stem from issues in the implementation of the DefaultActionMapper class and its "action:", "redirect:" and "redirectAction:" prefixes in particular.
"In Struts 2 before 220.127.116.11 the information following 'action:', 'redirect:' or 'redirectAction:' is not properly sanitized," the Apache Struts developers said in an advisory. "Since said information will be evaluated as OGNL [Object Graph Navigation Language] expression against the value stack, this introduces the possibility to inject server side code."
Attackers can also manipulate the information following "redirect:" or "redirectAction:" in order to redirect users to an arbitrary location.
In order to fix these two vulnerabilities, the Apache Struts developers have added code that sanitizes the "action:"-prefixed information and have removed support for the "redirect:" and "redirectAction:" prefixes.
Applications that use the retired prefixes will no longer work properly after upgrading to Struts 18.104.22.168 or later versions. The Struts developers recommend replacing them in the code with fixed navigation rules.
The new Struts version also fixes a server path information leakage issue and adds improved input sanitizing for the file upload example.
"After a fileupload action, if the result jsp contains atag the value attribute is filled in with the server path where the file was saved," the developers said. "This discloses file system information about the server."
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts