Apache Struts security update fixes critical vulnerabilities
The vulnerabilities can allow attackers to execute rogue code on the server or redirect users to arbitrary locations
IDG News Service - The Apache Software Foundation has released Struts 126.96.36.199, a security update for its popular Java Web application development framework that addresses two vulnerabilities, including a critical one that could allow remote attackers to execute arbitrary code on the server.
Struts version 188.8.131.52 has become the "General Availability" release, the designation for the project's highest quality version available to users.
The new release addresses two vulnerabilities that stem from issues in the implementation of the DefaultActionMapper class and its "action:", "redirect:" and "redirectAction:" prefixes in particular.
"In Struts 2 before 184.108.40.206 the information following 'action:', 'redirect:' or 'redirectAction:' is not properly sanitized," the Apache Struts developers said in an advisory. "Since said information will be evaluated as OGNL [Object Graph Navigation Language] expression against the value stack, this introduces the possibility to inject server side code."
Attackers can also manipulate the information following "redirect:" or "redirectAction:" in order to redirect users to an arbitrary location.
In order to fix these two vulnerabilities, the Apache Struts developers have added code that sanitizes the "action:"-prefixed information and have removed support for the "redirect:" and "redirectAction:" prefixes.
Applications that use the retired prefixes will no longer work properly after upgrading to Struts 220.127.116.11 or later versions. The Struts developers recommend replacing them in the code with fixed navigation rules.
The new Struts version also fixes a server path information leakage issue and adds improved input sanitizing for the file upload example.
"After a fileupload action, if the result jsp contains atag the value attribute is filled in with the server path where the file was saved," the developers said. "This discloses file system information about the server."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts