struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Deepak Subbanarasimha <d.subbanarasi...@kewill.com>
Subject Struts zero-day vulnerability
Date Mon, 05 May 2014 11:53:55 GMT
Hello,

We use struts version 1.2.2 and commons-file upload version 1.1.1.  It is not clear from this
notification if these versions are impacted.


1.       Can anyone confirm if these versions or affected?

2.       If they are affected, what can be done? Should we upgrade to Struts 2.x?

The notification below only talks about struts 2.x version.

-Deepak



PURPOSE

-------------

The purpose of this Alert is to bring attention to a recently announced security vulnerability
for Apache Struts.



ASSESSMENT

------------------

Apache Struts up to 2.3.16.1 is being reported as having a zero-day vulnerability. In particular,
Struts 2.3.16.1 has an issue with ClassLoader manipulation via request parameters which was
supposed to be resolved on 2 March 2014 through a security fix. Unfortunately, it was confirmed
that the correction wasn't sufficient.



According to the Apache Struts Team, a security fix release fully addressing all these issues
is in preparation and will be released as soon as possible. Once the release is available,
all Struts 2 users are strongly encouraged to update their installations.



SUGGESTED ACTION

----------------------------

The Apache Struts Team has published the following mitigation information:



In the struts.xml, replace all custom references to params-interceptor with the following
code, especially regarding the class-pattern found at the beginning of the excludeParams list:



<interceptor-ref name="params">

   <param

name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>

</interceptor-ref>



If you are using default interceptor stacks packaged in struts-default.xml, change your parent
packages to a customized secured configuration as in the following example. Given you are
using defaultStack so far, change your packages from



<package name="default" namespace="/" extends="struts-default">

    <default-interceptor-ref name="defaultStack" />

    ...

    ...

</package>

to



<package name="default" namespace="/" extends="struts-default">

    <interceptors>

        <interceptor-stack name="secureDefaultStack">

            <interceptor-ref name="defaultStack">

                <param

name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>

            </interceptor-ref>

        </interceptor-stack>

    </interceptors>



    <default-interceptor-ref name="secureDefaultStack" />

    ...

</package>



References:

=================

http://struts.apache.org/announce.html#a20140302

IMPORTANT NOTICE: This email is intended solely for the use of the individual to whom it is
addressed and may contain information that is privileged, confidential or otherwise exempt
from disclosure under applicable law. If the reader of this email is not the intended recipient
or the employee or agent responsible for delivering the message to the intended recipient,
you are hereby notified that any dissemination, distribution, or copying of this communication
is strictly prohibited. If you have received this communication in error, please immediately
return the original message to the sender at the listed email address. In accordance with
Kewill policy, emails sent and received may be monitored. Although Kewill takes reasonable
precautions to minimize the risk, Kewill accepts no responsibility for any loss or damage
should this email contain any virus, or similar destructive or mischievous code.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message